New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676706 link

Starred by 4 users
Status: WontFix
Owner: ----
Closed: Nov 2017
Cc:
elawrence@chromium.org
lgar...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Task


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment

Verify Form-Not-Secure behavior in iframes and with secure actions

Project Member Reported by est...@chromium.org, Dec 22 2016 
Right now the Form-Not-Secure password code uses PasswordForm::origin [1] to decide whether to show the "Login not secure" warning in the suggestions dropdown [2].

It's not clear to me from reading the code that |origin| is the right thing to be looking at. In particular, we should verify the behavior in the following cases:
1. When an http page embeds an https page with a password form, the "Login not secure" warning should be shown.
2. When a password form on an http page has an https:// action, the "Login not secure" warning should be shown.

[1] https://cs.chromium.org/chromium/src/components/autofill/core/common/password_form.h?sq=package:chromium&rcl=1482409686&l=96

[2] https://cs.chromium.org/chromium/src/components/password_manager/core/browser/password_autofill_manager.cc?sq=package:chromium&rcl=1482409686&l=214

Comment 1 by est...@chromium.org, Dec 22 2016

Cc: lgar...@chromium.org elawrence@chromium.org
+elawrence, lgarron: a couple test cases we might want to add to badssl.com for form-not-secure

Comment 2 by elawrence@chromium.org, Jan 5 2017 

[Case 1] OK ------------

Visiting http://rsolomakhin.github.io/autofill/, a HTTP page with a form containing a HTTPS target:

Inside PasswordManager::Autofill,
  fill_data.origin = http://rsolomakhin.github.io/autofill/
  show_form_not_secure_warning_on_autofill = true

[Case 2] OK ------------

Visiting http://ericlawrence.com/test/password/httpssubframe.htm, a HTTP page with a HTTPS subframe,

Inside PasswordManager::Autofill,
  fill_data.origin = https://rsolomakhin.github.io/autofill/
  show_form_not_secure_warning_on_autofill = true

Notably here, the URL parameter passed to the ChromeAutofillClient::IsContextSecure check is HTTPS, but that function doesn't even look at it, it looks at the context of the last committed navigation entry[1].


[1] https://cs.chromium.org/chromium/src/chrome/browser/ui/autofill/chrome_autofill_client.cc?q=IsContextSecure&sq=package:chromium&dr=C&l=357

Comment 3 by est...@chromium.org, Jan 11 2017

Labels: -Pri-1 Pri-2

Comment 4 by elawrence@chromium.org, Feb 3 2017 

Refinement of my remarks in #2: The URL argument passed to IsContextSecure *is* used on iOS. 

That's Issue 505388 https://cs.chromium.org/chromium/src/ios/chrome/browser/ui/autofill/autofill_client_ios.mm?dr=CSs&l=185

Comment 5 by vabr@chromium.org, May 2 2017

Labels: -tracking_work Type-Task

Comment 6 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 7 by est...@chromium.org, Nov 10 2017

Status: WontFix (was: Available)
We decided not to launch this feature.

Sign in to add a comment