UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce the problem:
1. Login to e.g. https://sso.brf.dk/login/NemIDLogin  (any danish banking, insurance, government site uses a similar login form)
2. The save password dialogue appears. Select "never save"
3. Repeat steps 1 & 2.... Save password dialogue appears again.

What is the expected behavior?
3. Save password dialogue does not appear

What went wrong?
It looks like the rule is saved for the iframe URL, which is something like https://appletk.danid.dk.  But when the rule is applied on the next visit, it is applied for the page URL, https://sso.brf.dk, instead of for the iframe URL.

Did this work before? N/A 

Chrome version: 63.0.3239.132  Channel: n/a
OS Version: OS X 10.11.6
Flash Version: 

The risk is that the user accidentally clicks "save" at some point.  If the user doesn't know how to delete the saved password, other users of the computer may gain access to this critical login (which is used for banks, taxes, finances etc.).