1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
|
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/autofill/content/renderer/password_form_conversion_utils.h"
#include "base/strings/string_util.h"
#include "components/autofill/content/renderer/form_autofill_util.h"
#include "components/autofill/core/common/password_form.h"
#include "third_party/WebKit/public/platform/WebString.h"
#include "third_party/WebKit/public/web/WebDocument.h"
#include "third_party/WebKit/public/web/WebFormControlElement.h"
#include "third_party/WebKit/public/web/WebInputElement.h"
using blink::WebDocument;
using blink::WebFormControlElement;
using blink::WebFormElement;
using blink::WebInputElement;
using blink::WebString;
using blink::WebVector;
namespace autofill {
namespace {
// Checks in a case-insensitive way if the autocomplete attribute for the given
// |element| is present and has the specified |value_in_lowercase|.
bool HasAutocompleteAttributeValue(const WebInputElement& element,
const char* value_in_lowercase) {
return LowerCaseEqualsASCII(element.getAttribute("autocomplete"),
value_in_lowercase);
}
// Helper to determine which password is the main (current) one, and which is
// the new password (e.g., on a sign-up or change password form), if any.
bool LocateSpecificPasswords(std::vector<WebInputElement> passwords,
WebInputElement* current_password,
WebInputElement* new_password) {
DCHECK(current_password && current_password->isNull());
DCHECK(new_password && new_password->isNull());
// First, look for elements marked with either autocomplete='current-password'
// or 'new-password' -- if we find any, take the hint, and treat the first of
// each kind as the element we are looking for.
for (std::vector<WebInputElement>::const_iterator it = passwords.begin();
it != passwords.end(); it++) {
if (HasAutocompleteAttributeValue(*it, "current-password") &&
current_password->isNull()) {
*current_password = *it;
} else if (HasAutocompleteAttributeValue(*it, "new-password") &&
new_password->isNull()) {
*new_password = *it;
}
}
// If we have seen an element with either of autocomplete attributes above,
// take that as a signal that the page author must have intentionally left the
// rest of the password fields unmarked. Perhaps they are used for other
// purposes, e.g., PINs, OTPs, and the like. So we skip all the heuristics we
// normally do, and ignore the rest of the password fields.
if (!current_password->isNull() || !new_password->isNull())
return true;
switch (passwords.size()) {
case 1:
// Single password, easy.
*current_password = passwords[0];
break;
case 2:
if (passwords[0].value() == passwords[1].value()) {
// Two identical passwords: assume we are seeing a new password with a
// confirmation. This can be either a sign-up form or a password change
// form that does not ask for the old password.
*new_password = passwords[0];
} else {
// Assume first is old password, second is new (no choice but to guess).
*current_password = passwords[0];
*new_password = passwords[1];
}
break;
case 3:
if (!passwords[0].value().isEmpty() &&
passwords[0].value() == passwords[1].value() &&
passwords[0].value() == passwords[2].value()) {
// All three passwords are the same and non-empty? This does not make
// any sense, give up.
return false;
} else if (passwords[1].value() == passwords[2].value()) {
// New password is the duplicated one, and comes second; or empty form
// with 3 password fields, in which case we will assume this layout.
*current_password = passwords[0];
*new_password = passwords[1];
} else if (passwords[0].value() == passwords[1].value()) {
// It is strange that the new password comes first, but trust more which
// fields are duplicated than the ordering of fields.
*current_password = passwords[2];
*new_password = passwords[0];
} else {
// Three different passwords, or first and last match with middle
// different. No idea which is which, so no luck.
return false;
}
break;
default:
return false;
}
return true;
}
// Get information about a login form encapsulated in a PasswordForm struct.
// If an element of |form| has an entry in |user_modified_elements|, the
// associated string is used instead of the element's value to create
// the PasswordForm.
void GetPasswordForm(const WebFormElement& form,
PasswordForm* password_form,
const std::map<const blink::WebInputElement,
blink::WebString>* user_modified_elements) {
WebInputElement latest_input_element;
WebInputElement username_element;
password_form->username_marked_by_site = false;
std::vector<WebInputElement> passwords;
std::vector<base::string16> other_possible_usernames;
WebVector<WebFormControlElement> control_elements;
form.getFormControlElements(control_elements);
for (size_t i = 0; i < control_elements.size(); ++i) {
WebFormControlElement control_element = control_elements[i];
if (control_element.isActivatedSubmit())
password_form->submit_element = control_element.formControlName();
WebInputElement* input_element = toWebInputElement(&control_element);
if (!input_element || !input_element->isEnabled())
continue;
if (input_element->isPasswordField()) {
passwords.push_back(*input_element);
// If we have not yet considered any element to be the username so far,
// provisionally select the input element just before the first password
// element to be the username. This choice will be overruled if we later
// find an element with autocomplete='username'.
if (username_element.isNull() && !latest_input_element.isNull()) {
username_element = latest_input_element;
// Remove the selected username from other_possible_usernames.
if (!latest_input_element.value().isEmpty()) {
DCHECK(!other_possible_usernames.empty());
DCHECK_EQ(base::string16(latest_input_element.value()),
other_possible_usernames.back());
other_possible_usernames.pop_back();
}
}
}
// Various input types such as text, url, email can be a username field.
if (input_element->isTextField() && !input_element->isPasswordField()) {
if (HasAutocompleteAttributeValue(*input_element, "username")) {
if (password_form->username_marked_by_site) {
// A second or subsequent element marked with autocomplete='username'.
// This makes us less confident that we have understood the form. We
// will stick to our choice that the first such element was the real
// username, but will start collecting other_possible_usernames from
// the extra elements marked with autocomplete='username'. Note that
// unlike username_element, other_possible_usernames is used only for
// autofill, not for form identification, and blank autofill entries
// are not useful, so we do not collect empty strings.
if (!input_element->value().isEmpty())
other_possible_usernames.push_back(input_element->value());
} else {
// The first element marked with autocomplete='username'. Take the
// hint and treat it as the username (overruling the tentative choice
// we might have made before). Furthermore, drop all other possible
// usernames we have accrued so far: they come from fields not marked
// with the autocomplete attribute, making them unlikely alternatives.
username_element = *input_element;
password_form->username_marked_by_site = true;
other_possible_usernames.clear();
}
} else {
if (password_form->username_marked_by_site) {
// Having seen elements with autocomplete='username', elements without
// this attribute are no longer interesting. No-op.
} else {
// No elements marked with autocomplete='username' so far whatsoever.
// If we have not yet selected a username element even provisionally,
// then remember this element for the case when the next field turns
// out to be a password. Save a non-empty username as a possible
// alternative, at least for now.
if (username_element.isNull())
latest_input_element = *input_element;
if (!input_element->value().isEmpty())
other_possible_usernames.push_back(input_element->value());
}
}
}
}
if (!username_element.isNull()) {
password_form->username_element = username_element.nameForAutofill();
base::string16 username_value = username_element.value();
if (user_modified_elements != nullptr) {
auto username_iterator = user_modified_elements->find(username_element);
if (username_iterator != user_modified_elements->end()) {
base::string16 typed_username_value = username_iterator->second;
if (!StartsWith(username_value, typed_username_value, false)) {
// We check that |username_value| was not obtained by autofilling
// |typed_username_value|. In case when it was, |typed_username_value|
// is incomplete, so we should leave autofilled value.
username_value = typed_username_value;
}
}
}
password_form->username_value = username_value;
}
// Get the document URL
GURL full_origin(form.document().url());
// Calculate the canonical action URL
WebString action = form.action();
if (action.isNull())
action = WebString(""); // missing 'action' attribute implies current URL
GURL full_action(form.document().completeURL(action));
if (!full_action.is_valid())
return;
WebInputElement password;
WebInputElement new_password;
if (!LocateSpecificPasswords(passwords, &password, &new_password))
return;
// We want to keep the path but strip any authentication data, as well as
// query and ref portions of URL, for the form action and form origin.
GURL::Replacements rep;
rep.ClearUsername();
rep.ClearPassword();
rep.ClearQuery();
rep.ClearRef();
password_form->action = full_action.ReplaceComponents(rep);
password_form->origin = full_origin.ReplaceComponents(rep);
rep.SetPathStr("");
password_form->signon_realm = full_origin.ReplaceComponents(rep).spec();
password_form->other_possible_usernames.swap(other_possible_usernames);
if (!password.isNull()) {
password_form->password_element = password.nameForAutofill();
blink::WebString password_value = password.value();
if (user_modified_elements != nullptr) {
auto password_iterator = user_modified_elements->find(password);
if (password_iterator != user_modified_elements->end())
password_value = password_iterator->second;
}
password_form->password_value = password_value;
password_form->password_autocomplete_set = password.autoComplete();
}
if (!new_password.isNull()) {
password_form->new_password_element = new_password.nameForAutofill();
password_form->new_password_value = new_password.value();
}
password_form->scheme = PasswordForm::SCHEME_HTML;
password_form->ssl_valid = false;
password_form->preferred = false;
password_form->blacklisted_by_user = false;
password_form->type = PasswordForm::TYPE_MANUAL;
}
} // namespace
scoped_ptr<PasswordForm> CreatePasswordForm(
const WebFormElement& web_form,
const std::map<const blink::WebInputElement, blink::WebString>*
user_modified_elements) {
if (web_form.isNull())
return scoped_ptr<PasswordForm>();
scoped_ptr<PasswordForm> password_form(new PasswordForm());
GetPasswordForm(web_form, password_form.get(), user_modified_elements);
if (!password_form->action.is_valid())
return scoped_ptr<PasswordForm>();
WebFormElementToFormData(web_form,
blink::WebFormControlElement(),
REQUIRE_NONE,
EXTRACT_NONE,
&password_form->form_data,
NULL /* FormFieldData */);
return password_form.Pass();
}
} // namespace autofill
|
