Drive-by comment: Doesn't this give a bit too much control of the omnibox to the page? Will a page now be able to show and hide the "not secure" warning arbitrarily? I can't think of any interesting attack other than potentially DOSing the omnibox, but it might still be worth thinking about.

+emilyschechter, WDYT of comment 2?

We're not generally concerned with sites that want to hide the "Not secure" warning; if they want to get around it without using HTTPS, there will always be ways (e.g. a JS+CSS password widget that simulates a password field without actually being an <input type="password">).

Sites could certainly be very annoying by flickering stuff in and out of the omnibox, but I don't know how concerning that is. If a site's wants to be annoying, they can already do that in lots of ways.

I'm really only concerned about the annoyance/performance aspects of flickering the label. To mitigate this we had discussed doing some sort of thresholding so i.e. the warning could only go in/out once per page load. Is that possible?

Re #4: yeah, I think so. I'm a little worried about sending a confusing message (I'm imagining a user opening a login form, seeing that it's Not Secure and closing it, opening it again and seeing no warning and concluding that it's all good and secure now). But we can implement it and play with it and get feedback.

I think we shouldn't worry about this.  We already do some update coalescing in the UI, but in general pages can update e.g. their tab titles constantly as well, which doesn't seem less annoying, and we don't try to prevent that.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/556439aac8b23fd346feb501d33a1488aa4f7f7d

commit 556439aac8b23fd346feb501d33a1488aa4f7f7d
Author: estark <estark@chromium.org>
Date: Wed Nov 02 23:25:46 2016

Count visible password fields on a page

For HTTP-bad phase 1 ( https://crbug.com/647754 ), a "Not secure" warning
in the omnibox should show up when a password field is visible on an
HTTP page, and disappear when all password fields are gone.

This CL counts password fields in a frame, incrementing the counter when
a PasswordInputType creates a layout object and decrementing it on the
layout object's willBeDestroyed() method. A Mojo IPC is sent when the
counter is decremented to 0.

A follow-up CL will keep track of the visibility of password fields per
RenderFrameHost and remove the omnibox warning when there are no visible
password fields anywhere in the frame tree.

BUG= 658764 

Review-Url: https://codereview.chromium.org/2468833002
Cr-Commit-Position: refs/heads/master@{#429450}

[modify] https://crrev.com/556439aac8b23fd346feb501d33a1488aa4f7f7d/components/password_manager/content/browser/content_password_manager_driver.cc
[modify] https://crrev.com/556439aac8b23fd346feb501d33a1488aa4f7f7d/components/password_manager/content/browser/content_password_manager_driver.h
[modify] https://crrev.com/556439aac8b23fd346feb501d33a1488aa4f7f7d/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/556439aac8b23fd346feb501d33a1488aa4f7f7d/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/556439aac8b23fd346feb501d33a1488aa4f7f7d/third_party/WebKit/Source/core/html/forms/PasswordInputType.cpp
[modify] https://crrev.com/556439aac8b23fd346feb501d33a1488aa4f7f7d/third_party/WebKit/Source/core/html/forms/PasswordInputTypeTest.cpp
[modify] https://crrev.com/556439aac8b23fd346feb501d33a1488aa4f7f7d/third_party/WebKit/public/platform/modules/sensitive_input_visibility/sensitive_input_visibility_service.mojom

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fae6b587d9fc7a0f04dad715173aaadcc31968de

commit fae6b587d9fc7a0f04dad715173aaadcc31968de
Author: estark <estark@chromium.org>
Date: Fri Nov 04 05:20:31 2016

Notify SSLManager when all password fields on a page are gone

For HTTP-bad phase 1 ( https://crbug.com/647754 ), a "Not secure" warning
in the omnibox should show up when a password field is visible on an
HTTP page, and disappear when all password fields are gone.

This CL adds a WebContentsObserver to ContentPasswordManagerDriver which
keeps track of frames in the current page that have visible password
fields. When all frames' password fields have been hidden, the observer
notifies the WebContents, which notifies the SSLManager, which removes
the relevant flag from the SSLStatus.

This is based on top of https://codereview.chromium.org/2468833002/,
which sends a Mojo IPC from Blink whenever a frame's password fields are
all hidden.

BUG= 658764 

Review-Url: https://codereview.chromium.org/2467773002
Cr-Commit-Position: refs/heads/master@{#429793}

[modify] https://crrev.com/fae6b587d9fc7a0f04dad715173aaadcc31968de/components/password_manager/content/browser/BUILD.gn
[modify] https://crrev.com/fae6b587d9fc7a0f04dad715173aaadcc31968de/components/password_manager/content/browser/content_password_manager_driver.cc
[modify] https://crrev.com/fae6b587d9fc7a0f04dad715173aaadcc31968de/components/password_manager/content/browser/content_password_manager_driver_unittest.cc
[add] https://crrev.com/fae6b587d9fc7a0f04dad715173aaadcc31968de/components/password_manager/content/browser/visible_password_observer.cc
[add] https://crrev.com/fae6b587d9fc7a0f04dad715173aaadcc31968de/components/password_manager/content/browser/visible_password_observer.h
[modify] https://crrev.com/fae6b587d9fc7a0f04dad715173aaadcc31968de/content/browser/ssl/ssl_manager.cc
[modify] https://crrev.com/fae6b587d9fc7a0f04dad715173aaadcc31968de/content/browser/ssl/ssl_manager.h
[modify] https://crrev.com/fae6b587d9fc7a0f04dad715173aaadcc31968de/content/browser/web_contents/web_contents_impl.cc
[modify] https://crrev.com/fae6b587d9fc7a0f04dad715173aaadcc31968de/content/browser/web_contents/web_contents_impl.h
[modify] https://crrev.com/fae6b587d9fc7a0f04dad715173aaadcc31968de/content/public/browser/web_contents.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/60c821beda0a73f3348eea000aa2da4b9ca018e1

commit 60c821beda0a73f3348eea000aa2da4b9ca018e1
Author: vabr <vabr@chromium.org>
Date: Fri Nov 04 15:08:37 2016

Clean up #includes in content_password_manager_driver.cc

This is a tiny clean-up, removing headers added but ultimately unused by
https://codereview.chromium.org/2467773002/.

BUG= 658764 

Review-Url: https://codereview.chromium.org/2473353002
Cr-Commit-Position: refs/heads/master@{#429886}

[modify] https://crrev.com/60c821beda0a73f3348eea000aa2da4b9ca018e1/components/password_manager/content/browser/content_password_manager_driver.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fda8404f14dba9919b4eb15e328459dfd45831c6

commit fda8404f14dba9919b4eb15e328459dfd45831c6
Author: estark <estark@chromium.org>
Date: Tue Nov 08 04:02:35 2016

Use attach/detachLayoutTree to signal password counting

As a follow-up to https://codereview.chromium.org/2468833002/, use
attachLayoutTree/detachLayoutTree to count visible password fields on a
page, instead of subclassing LayoutObject.

BUG= 658764 

Review-Url: https://codereview.chromium.org/2485803002
Cr-Commit-Position: refs/heads/master@{#430514}

[modify] https://crrev.com/fda8404f14dba9919b4eb15e328459dfd45831c6/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/fda8404f14dba9919b4eb15e328459dfd45831c6/third_party/WebKit/Source/core/html/HTMLInputElement.cpp
[modify] https://crrev.com/fda8404f14dba9919b4eb15e328459dfd45831c6/third_party/WebKit/Source/core/html/forms/InputType.cpp
[modify] https://crrev.com/fda8404f14dba9919b4eb15e328459dfd45831c6/third_party/WebKit/Source/core/html/forms/InputType.h
[modify] https://crrev.com/fda8404f14dba9919b4eb15e328459dfd45831c6/third_party/WebKit/Source/core/html/forms/PasswordInputType.cpp
[modify] https://crrev.com/fda8404f14dba9919b4eb15e328459dfd45831c6/third_party/WebKit/Source/core/html/forms/PasswordInputType.h

Test site, where we can test the potential spammy label in-and-out issue (re: c#2): http://webdbg.com/test/forms/annoy.html

Security>UX component is deprecated in favor of the Team-Security-UX label