+password team to have a look - this is quite a strange one to me.

Thanks for the report.

This has already been spotted in the past (see  bug 707887 ). The summary is that the UI labels are confusing.

The main toggle in chrome://settings/passwords controls saving, not filling of credentials. If Chrome stopped filling credentials, the user would forgot that they have saved them. The only way to stop filling is to delete all of them (easiest to do in chrome://settings/clearBrowserData).

The "Auto sign-in" is only related to sites using the new Credential Manager Javascript API, it does not affect credentials passed through normal HTML forms.

The other autofill setting controlls filling non-password data (I agree that it is not obvious from how the settings are labelled).

 Issue 707887  was already public, so there's no need to keep this one restricted.

Is the plan here to change the labels so they more clearly explain the behavior, or is the plan to change the behavior (say, to prompt the user about clearing their credentials if they turn off the password manager)?

Not sure if we should keep this labelled as a security bug, but tentatively triaging it as Low severity.

Thanks for the timely response. Hopefully you guys can resolve this soon,
it's very misleading and been a real problem for quite awhile.

On Fri, Mar 16, 2018 at 7:38 AM, v… via monorail <monorail+v2.3055812653@
chromium.org> wrote:

Thanks for the report!

Currently, the chrome://settings/passwords view is titled "Manage passwords" and offers a global toggle "ON"/"OFF".

I'd like to revisit this string. Proposal for consideration:

TODAY:
On [toggle]

Auto Sign-in [toggle]
Automatically sign in to websites using stored credentials. If disabled, you will be asked for confirmation every time before signing in to a website.


PROPOSAL:
Offer to save passwords [toggle]
Saved passwords are filled into sign-in forms automatically.

Auto Sign-in [toggle]
Automatically sign in to websites using stored credentials. If disabled, you will be asked for confirmation every time before signing in to a website.

The proposal in #8 sounds like an improvement to me, thanks!

Perhaps if the setting is OFF, we could add tweak the wording and add a link into the clear experience, e.g.

  Previously saved passwords will be filled into sign-in forms automatically. (__Clear Passwords__)

Screenshots for Code Review

Deleted: Proposed_Mocks.png 123 KB

	Proposed_Mocks.png 123 KB View Download

Deleted: Implementation.png 71.5 KB

	Implementation.png 71.5 KB View Download

This UI change LGTM.

elawrence, please note that we settled on a simple change for M66: we will change the title of the toggle (and not add a textual description below). We found that it could it be a new source of confusion. We're planning to fix this setting more generally in M67.

jdoerrie, please go ahead and land. Once landed, please add a reference to your CL in this bug and add a merge-requested label.

Adjusting milestone label as we are planning to fix the string for M66.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/52f6eb4221430b6248fd5a59bec53bfef9fdd9a7

commit 52f6eb4221430b6248fd5a59bec53bfef9fdd9a7
Author: jdoerrie <jdoerrie@chromium.org>
Date: Wed Mar 21 10:16:25 2018

[md-settings] Clarify Password Saving and Autofill Toggles

This change clarifies the wording around the password saving and
autofill toggles.

Bug:  822465 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I91b31fe61cd0754239f7908e8c04c7e69b72f670
Reviewed-on: https://chromium-review.googlesource.com/970541
Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org>
Reviewed-by: Vaclav Brozek <vabr@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#544661}
[modify] https://crrev.com/52f6eb4221430b6248fd5a59bec53bfef9fdd9a7/chrome/app/settings_strings.grdp
[modify] https://crrev.com/52f6eb4221430b6248fd5a59bec53bfef9fdd9a7/chrome/browser/resources/settings/passwords_and_forms_page/autofill_section.html
[modify] https://crrev.com/52f6eb4221430b6248fd5a59bec53bfef9fdd9a7/chrome/browser/resources/settings/passwords_and_forms_page/passwords_section.html
[modify] https://crrev.com/52f6eb4221430b6248fd5a59bec53bfef9fdd9a7/chrome/browser/ui/webui/settings/md_settings_localized_strings_provider.cc

I request merge of r544661 into M66 (branch 3359).

Approving merge for M66. Branch:3359

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9e9a3c010a73f49a0e48da10fea268dc30ecb995

commit 9e9a3c010a73f49a0e48da10fea268dc30ecb995
Author: jdoerrie <jdoerrie@chromium.org>
Date: Wed Mar 21 15:11:05 2018

[md-settings] Clarify Password Saving and Autofill Toggles

This change clarifies the wording around the password saving and
autofill toggles.

Bug:  822465 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I91b31fe61cd0754239f7908e8c04c7e69b72f670
Reviewed-on: https://chromium-review.googlesource.com/970541
Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org>
Reviewed-by: Vaclav Brozek <vabr@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#544661}(cherry picked from commit 52f6eb4221430b6248fd5a59bec53bfef9fdd9a7)
Reviewed-on: https://chromium-review.googlesource.com/973621
Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#360}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/9e9a3c010a73f49a0e48da10fea268dc30ecb995/chrome/app/settings_strings.grdp
[modify] https://crrev.com/9e9a3c010a73f49a0e48da10fea268dc30ecb995/chrome/browser/resources/settings/passwords_and_forms_page/autofill_section.html
[modify] https://crrev.com/9e9a3c010a73f49a0e48da10fea268dc30ecb995/chrome/browser/resources/settings/passwords_and_forms_page/passwords_section.html
[modify] https://crrev.com/9e9a3c010a73f49a0e48da10fea268dc30ecb995/chrome/browser/ui/webui/settings/md_settings_localized_strings_provider.cc

Able to reproduce this issue on 66.0.3359.45, hence verifying the fix on 66.0.3359.66

Now observing "Offer to save passwords" and "Auto-fill forms" text in Manage Autofill and Manage Password sections. Attaching screenshots for reference.

As fix is working as expected adding Verified labels.

Thanks!

Deleted: Autofill_66.0.3359.66.png 97.0 KB

	Autofill_66.0.3359.66.png 97.0 KB View Download

Deleted: Manage Passwords_66.0.3359.66.png 124 KB

	Manage Passwords_66.0.3359.66.png 124 KB View Download

Thanks everyone!

I'm afraid the VRP panel declined to reward for this, as it's a privacy issue: https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Are-privacy-issues-considered-security-bugs-