Interesting. This sounds like it has a different root cause but the same impact as  Issue 677220 . If the proposed fix is effective, perhaps some piece of it will fix that issue as well.

Yeah, I noticed that bug as well and tried to file it as a separate issue. Currently my fix doesn't call EnableSecureEventInput(), but as I've read the Apple Technote on the topic I discovered that my current solution is only half-baked. Will try to fix all of them in my CL today.

BTW, Am I eligible to participate in https://www.google.com/about/appsecurity/chrome-rewards/index.html? :-)

Ah, actually I suspect that the root cause of the 677220 problem will not impact the HTTP Authentication prompt, because the latter is coming from the unsandboxed browser process.

The root cause of 677220 didn't lead for this issue to happen (this issue happened because noone thought that views::Textfield should enable the secure input mode in the first place), but I fixed it as well. Now secure text input is enabled both for HTTP Auth prompt and password fields on webpages.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4

commit f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4
Author: Michail Pishchagin <mblsha@yandex-team.ru>
Date: Mon Mar 12 17:07:26 2018

MacViews: Enable secure text input for password Textfields.

In Cocoa the NSTextInputContext automatically enables secure text input
when activated and it's in the secure text entry mode.

RenderWidgetHostViewMac did the similar thing for ages following the
WebKit example.

views::Textfield needs to do the same thing in a fashion that's
sycnrhonized with RenderWidgetHostViewMac, otherwise the race conditions
are possible when the Textfield gets focus, activates the secure text
input mode and the RWHVM loses focus immediately afterwards and disables
the secure text input instead of leaving it in the enabled state.

BUG= 818133 , 677220 

Change-Id: I6db6c4b59e4a1a72cbb7f8c7056f71b04a3df08b
Reviewed-on: https://chromium-review.googlesource.com/943064
Commit-Queue: Michail Pishchagin <mblsha@yandex-team.ru>
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#542517}
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/content/browser/renderer_host/render_widget_host_view_mac.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/content/browser/renderer_host/render_widget_host_view_mac.mm
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/content/browser/renderer_host/render_widget_host_view_mac_unittest.mm
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/editing/FrameSelection.cpp
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/editing/FrameSelection.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/HTMLInputElement.cpp
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/HTMLInputElement.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/InputType.cpp
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/InputType.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/PasswordInputType.cpp
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/core/html/forms/PasswordInputType.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/third_party/WebKit/Source/platform/BUILD.gn
[delete] https://crrev.com/59abdb5ec27148747bc0a6633178ce5a661b6f35/third_party/WebKit/Source/platform/SecureTextInput.cpp
[delete] https://crrev.com/59abdb5ec27148747bc0a6633178ce5a661b6f35/third_party/WebKit/Source/platform/SecureTextInput.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/base/BUILD.gn
[add] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/base/cocoa/secure_password_input.h
[add] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/base/cocoa/secure_password_input.mm
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/views/controls/textfield/textfield.cc
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/views/controls/textfield/textfield.h
[modify] https://crrev.com/f1574f25e1402e748bf2bd7e28ce3dd96ceb1ca4/ui/views/controls/textfield/textfield_unittest.cc

Is this now "Fixed"?

Yep. But I created this issue using wrong account that doesn't have the bug edit permission.

I'm afraid the VRP panel declined to reward for this bug. Many thanks for the report. How would you like to be credited in Chrome release notes?

"Michail Pishchagin (Yandex)" or something like that should be fine.

Thanks Michail!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot