Screenshot of what it would show.

Deleted: ZMdxW24R36.png 2.4 KB

	ZMdxW24R36.png 2.4 KB View Download

Somehow, I am not seeing the Login not secure message when editing gmail password on the latest canary(61.0.3138.0) and the reported version: 61.0.3135.4 on Windows-10.

 
andresantosuk@: Could you please confirm if anything being missed here in repro steps?

Deleted: 735239.png 117 KB

	735239.png 117 KB View Download

I took some time to narrow this down in a virtual machine.

With a fresh install without syncing and installing the extension via Chrome Store, it works fine.
Fresh w/ extension sync only: no warning
Fresh w/ extension & password sync only: warning (also says "use password for:" followed by a list of emails and usernames)

So from what I can tell so far, you would need to have Chrome remember your login credentials (and have password sync enabled). It should then end up on the list that would show up when interacting with password field(s).

The virtual machine has been using the exact same browser that was used on the host (61.0.3135.4 Dev x64).

Thank you for providing more feedback. Adding requester "ajha@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Unable to reproduce this issue on Windows 10 with chrome dev #61.0.3135.4, Canary #61.0.3143.0, followed the steps as mentioned in comment #0

andresantosuk@ could you retry the same scenario on clean profile with no apps/extensions(except "Last Pass") and let us know you your observations.

Deleted: 735239.PNG 77.4 KB

	735239.PNG 77.4 KB View Download

In comment #5, there is more information of how to come along this issue (as soon as it was discovered what was in #0 wasn't enough -- my bad for not properly checking with a fresh install). It involves the passwords being synchronised.

Just to clarify: are you asking me to go fresh, log in, synchronise everything apart from extensions, install the affected extension via Chrome Store and then see if it's still an issue?

Thank you for providing more feedback. Adding requester "kkaluri@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

andresantosuk@ As per comment #8 create a new profile and install only "LastPass" extension and synchronize , then re-try the scenario and let us know your observations.

Version: 61.0.3141.7 (Official Build) dev (64-bit) (cohort: Dev)
Tested in a Windows 7 virtual machine (same one used in comment #5).

This requires the user to have their username and/or password fields on the extension page to show up as a light tint of yellow (RGB 250, 255, 189). It would indicate that the user can select an email/username that would use the password associated with that selection.

1. Install Chrome Dev as fresh
2. Visit and install the LastPass extension from the Chrome Web Store
3. Log into Chrome Dev but set to allow altering of syncronisation settings (there is a checkbox for it after successful login) before it begins synchronising
4. Disable the synchronising of everything apart from 'password' sync
5. Navigate elsewhere in the settings to get it to start synchronising
6. Log into LastPass
7. Visit LastPass vault extension page
8. Access site/note management popup (for editing sites or notes)
9. Press either on the username or password field

Result: "Login not secure" warning + list of emails/usernames.


But there is more. This happens depending on the order of how things are done and it could sometimes be random(?). Let me expand on that..

We will begin with these steps. It is basically the same as above but re-ordered.

1. Install Chrome Dev as fresh
2. Visit and install the LastPass extension from the Chrome Web Store
3. Log into LastPass
4. Log into Chrome Dev but set to allow altering of syncronisation settings (there is a checkbox for it after successful login) before it begins synchronising
5. Disable the synchronising of everything apart from 'password' sync
6. Navigate elsewhere in the settings to get it to start synchronising
7. Visit LastPass vault extension page
8. Access site/note management popup (for editing sites or notes)

Result: List of emails/usernames but no "login not secure" warning.


As for /random/..
On 22nd June 2017, while I was doing a bit of testing, I once ended up having the warning but no list displaying. The steps to reproduce had not been documented.

Thank you for providing more feedback. Adding requester "kkaluri@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

As TE team was unable to reproduce the issue, requesting Extensions dev team to look into this issue and update accordingly.

I'm guessing that this doesn't reproduce anymore, and because the warning feature isn't launching, we can probably just close this bug now.

The PasswordAutofillAgent::ShouldShowNotSecureWarning function has:

  return security_state::IsHttpWarningInFormEnabled() &&
         !content::IsOriginSecure(
             url::Origin(render_frame()->GetWebFrame()->Top()->GetSecurityOrigin()).GetURL());
}

IsOriginSecure should be returning true for chrome-extension, because in  ChromeContentClient::AddAdditionalSchemes, we call

  schemes->secure_schemes.push_back(extensions::kExtensionScheme);

Even though this had been closed (with no intention to have it reopened), I'd like to confirm that this had been resolved. Currently using v63.0.3239.9 Dev channel Win64 but likely fixed some time ago.

Thanks.