Issue 530447  has been merged into this issue.

Issue 530448 has been merged into this issue.

Issue 507760 has been merged into this issue.

 Issue 444436  has been merged into this issue.

Issue 505510 has been merged into this issue.

 Issue 596081  has been merged into this issue.

Issue 638634 has been merged into this issue.

Hi folks,

What would be the easiest way to reproduce this, without creating accounts on these sites?

mathp@: Maxim pointed out that you had a discussion about this issue some time ago.

Hi, 

There needs to be a password saved for a given site, because that's what the automated password filling works. Then navigate to a page that has a credit card form with a CVC field of type password (I think bestbuy.ca has this). You should see it fill automatically on page load.

You can try creating a test page that has both properties (and HTTPS) using github pages. Not sure how to trigger password save on a typical page, perhaps a combination of heuristics such as having login in the URL and a username/password field. You could ask Maxim about that part.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6

commit bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6
Author: pkalinnikov <pkalinnikov@chromium.org>
Date: Thu May 11 08:34:47 2017

Move autofill_regex_constants to core/common.

Before this CL some files in core/common included the autofill_regex_constants
from core/browser, and that violated layering. This CL moves the constants to
the right place.

This change is also necessary to allow using the constants from renedrer code
in order to fix some false positives in password autofilling.

Additionally, the files have been reformatted automatically.

BUG=674151

Review-Url: https://codereview.chromium.org/2877473002
Cr-Commit-Position: refs/heads/master@{#470875}

[modify] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/browser/BUILD.gn
[modify] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/browser/address_field.cc
[delete] https://crrev.com/ec72b3b0616de6e11b11db904b12a5a7e2a1a9da/components/autofill/core/browser/autofill_regex_constants.cc
[modify] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/browser/credit_card_field.cc
[modify] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/browser/email_field.cc
[modify] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/browser/name_field.cc
[modify] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/browser/phone_field.cc
[modify] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/browser/validation.cc
[modify] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/common/BUILD.gn
[add] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/common/autofill_regex_constants.cc
[rename] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/common/autofill_regex_constants.h
[modify] https://crrev.com/bff6eb30da83bf8b1277e2bbbb8d55467da2bbb6/components/autofill/core/common/autofill_regexes_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e2adcd849d16ed6935ff8734f075bfdf729297e4

commit e2adcd849d16ed6935ff8734f075bfdf729297e4
Author: pkalinnikov <pkalinnikov@chromium.org>
Date: Fri May 12 18:59:59 2017

Prevent autofilling credit card security number fields with passwords.

Currently, if a security code input field (with type="password") in a credit
card form is encountered, and there is a password stored for the site, then
autofill completes it with the stored password.

This CL adds a client-side heuristic (i.e., name/id of the field matches a
certain regexp) to filter out such fields from a password form.

BUG=674151

Review-Url: https://codereview.chromium.org/2874803002
Cr-Commit-Position: refs/heads/master@{#471394}

[modify] https://crrev.com/e2adcd849d16ed6935ff8734f075bfdf729297e4/components/autofill/content/renderer/password_form_conversion_utils.cc
[modify] https://crrev.com/e2adcd849d16ed6935ff8734f075bfdf729297e4/components/autofill/content/renderer/password_form_conversion_utils.h
[modify] https://crrev.com/e2adcd849d16ed6935ff8734f075bfdf729297e4/components/autofill/content/renderer/password_form_conversion_utils_browsertest.cc

Pavel: please close the blocking bugs if they are fixed. If you are not able to reproduce user flow, try to check field id/names. Even if the form are not accessible, archive the bug. 

Did the landed solution solve all known (and reproducible) issues? If yes, close the META bug (we will reopen it if needed). If no, please offer possible solution here (e.g. extending the regular expression we use).

The CLs only prevent filling credit card security number fields with passwords. There is a bunch of sites where SSN fields are filled with passwords (blocking this bug). These need to be fixed as well.

Bug 738688 is one case where it is more important to get this correct than in case of non-password forms with password fields. There Chrome attempts to overwrite the correct password with the wrong one.

Leaving this to other people, since now I am not working on this, and will be transferring soon.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3692a35a5f1f4454443a8acfc8d6f56b317e98cc

commit 3692a35a5f1f4454443a8acfc8d6f56b317e98cc
Author: Maxim Kolosovskiy <kolos@chromium.org>
Date: Tue Jan 09 19:44:27 2018

[Password Manager] Several fixes for username votes uploading

1) Don't save empty values to |PasswordForm.other_possible_usernames|
2) If the username value is empty, don't upload any username votes.
3) If the username value edited in a prompt has no match with another field of the form, |PasswordForm.username_element| should be empty.
4) Trim whitespaces in the username value typed in a prompt.
5) Don't trust server-side prediction of username field, if the prediction points to an empty field.
6) DCHECKs that |username_vote_type| cannot be |No_INFORMATION| if the autofill type is |USERNAME|.

Bug: 674151, 699530
Change-Id: I72d120a30fff14de77df1898710e28874318c290
Reviewed-on: https://chromium-review.googlesource.com/817276
Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org>
Reviewed-by: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Reviewed-by: Vadym Doroshenko <dvadym@chromium.org>
Commit-Queue: Maxim Kolosovskiy <kolos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#528073}
[modify] https://crrev.com/3692a35a5f1f4454443a8acfc8d6f56b317e98cc/chrome/browser/ui/passwords/manage_passwords_ui_controller_unittest.cc
[modify] https://crrev.com/3692a35a5f1f4454443a8acfc8d6f56b317e98cc/chrome/browser/ui/views/passwords/manage_passwords_bubble_view.cc
[modify] https://crrev.com/3692a35a5f1f4454443a8acfc8d6f56b317e98cc/components/autofill/content/renderer/password_form_conversion_utils.cc
[modify] https://crrev.com/3692a35a5f1f4454443a8acfc8d6f56b317e98cc/components/autofill/content/renderer/password_form_conversion_utils_browsertest.cc
[modify] https://crrev.com/3692a35a5f1f4454443a8acfc8d6f56b317e98cc/components/autofill/core/browser/form_structure.cc
[modify] https://crrev.com/3692a35a5f1f4454443a8acfc8d6f56b317e98cc/components/password_manager/core/browser/password_form_manager.cc
[modify] https://crrev.com/3692a35a5f1f4454443a8acfc8d6f56b317e98cc/components/password_manager/core/browser/password_form_manager.h
[modify] https://crrev.com/3692a35a5f1f4454443a8acfc8d6f56b317e98cc/components/password_manager/core/browser/password_form_manager_unittest.cc

vabr going hobby only -> reducing involvement.
Please contact me directly in urgent matters.