| blob | fd361b6e2679e72e3b2a7508336945a80f8c07b2 |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <algorithm>
47 }
52 kMaxNumActionsTaken);
53 }
58 };
60 // TODO(timsteele): use a hash of some sort in the future?
66 // HTML form case.
67 // At a minimum, username and password element must match.
71 }
73 // When action match is required, the action URL must match, but
74 // the form is allowed to have an empty action URL (See bug 1107719).
75 // Otherwise ignore action URL, this is to allow saving password form with
76 // dynamically changed action URL (See bug 27246).
80 }
82 // If this is a replay of the same form in the case a user entered an invalid
83 // password, the origin of the new form may equal the action of the "first"
84 // form.
89 // Compare origins, ignoring scheme. There is no easy way to do this
90 // with GURL because clearing the scheme would result in an invalid url.
91 // This is for some sites (such as Hotmail) that begin on an http page and
92 // head to https for the retry when password was invalid.
100 after_scheme2,
103 }
105 }
107 }
114 }
119 // Configure the form about to be saved for blacklist status.
125 // Retroactively forget existing matches for this form, so we NEVER prompt or
126 // autofill it again.
134 }
136 // We want to remove existing matches for this form so that the exact
137 // origin match with |blackisted_by_user == true| is the only result that
138 // shows up in the future for this origin URL. However, we don't want to
139 // delete logins that were actually saved on a different page (hence with
140 // different origin URL) and just happened to match this form because of
141 // the scoring algorithm. See bug 1204493.
145 }
146 }
147 }
150 num_passwords_deleted);
152 // Save the pending_credentials_ entry marked as blacklisted.
154 }
159 use_additional_authentication;
160 }
165 }
169 }
173 }
176 // This check is permissive, as the user may have generated a password and
177 // then edited it in the form itself. However, even in this case the user
178 // has already given consent, so we treat these cases the same.
180 }
184 // Non-HTML password forms (primarily HTTP and FTP autentication)
185 // do not contain username_element and password_element values.
190 }
194 OtherPossibleUsernamesAction action) {
198 // Make sure the important fields stay the same as the initially observed or
199 // autofilled ones, as they may have changed if the user experienced a login
200 // failure.
201 // Look for these credentials in the list containing auto-fill entries.
205 // The user signed in with a login we autofilled.
208 // Public suffix matches should always be new logins, since we want to store
209 // them so they can automatically be filled in later.
214 // Check to see if we're using a known username but a new password.
220 // |pending_credentials_| is now set. Note we don't update
221 // |pending_credentials_.username_value| to |credentials.username_value|
222 // yet because we need to keep the original username to modify the stored
223 // credential.
227 // User typed in a new, unknown username.
233 }
236 // If the user selected credentials we autofilled from a PasswordForm
237 // that contained no action URL (IE6/7 imported passwords, for example),
238 // bless it with the action URL from the observed form. See bug 1107719.
247 }
255 else
257 }
267 }
269 }
273 }
277 // Note that the result gets deleted after this call completes, but we own
278 // the PasswordForm objects pointed to by the result vector, thus we keep
279 // copies to a minimum here.
282 // These credentials will be in the final result regardless of score.
288 }
289 // Score and update best matches.
291 // This check is here so we can append empty path matches in the event
292 // they don't score as high as others and aren't added to best_matches_.
293 // This is most commonly imported firefox logins. We skip blacklisted
294 // ones because clearly we don't want to autofill them, and secondly
295 // because they only mean something when we have no other matches already
296 // saved in Chrome - in which case they'll make it through the regular
297 // scoring flow below by design. Note signon_realm == origin implies empty
298 // path logins_result, since signon_realm is a prefix of origin for HTML
299 // password forms.
300 // TODO(timsteele): Bug 1269400. We probably should do something more
301 // elegant for any shorter-path match instead of explicitly handling empty
302 // path matches.
307 }
309 // Always keep generated passwords as part of the result set. If a user
310 // generates a password on a signup form, it should show on a login form
311 // even if they have a previous login saved.
312 // TODO(gcasto): We don't want to cut credentials that were saved on signup
313 // forms even if they weren't generated, but currently it's hard to
314 // distinguish between those forms and two different login forms on the
315 // same domain. Filed http://crbug.com/294468 to look into this.
322 }
327 // This new login has a better score than all those up to this point
328 // Note 'this' owns all the PasswordForms in best_matches_.
333 }
336 }
337 // We're done matching now.
342 }
347 // If we don't already have a result with the same username, add the
348 // lower-scored match (if it had equal score it would already be in
349 // best_matches_).
352 }
357 // It is possible we have at least one match but have no preferred_match_,
358 // because a user may have chosen to 'Forget' the preferred match. So we
359 // just pick the first one and whichever the user selects for submit will
360 // be saved as preferred.
365 // Check to see if the user told us to ignore this site in the past.
369 }
371 // If not blacklisted, inform the driver that password generation is allowed
372 // for |observed_form_|.
375 // Proceed to autofill.
376 // Note that we provide the choices but don't actually prefill a value if:
377 // (1) we are in Incognito mode, (2) the ACTION paths don't match,
378 // or (3) if it matched using public suffix domain matching.
386 else
390 }
398 // No result means that we visit this site the first time so we don't need
399 // to check whether this site is blacklisted or not. Just send a message
400 // to allow password generation.
403 }
405 }
408 // Ignore change password forms until we have some change password
409 // functionality
412 }
413 // Don't match an invalid SSL form with one saved under secure
414 // circumstances.
417 }
419 }
424 // The new_form is being used to sign in, so it is preferred.
426 // new_form contains the same basic data as observed_form_ (because its the
427 // same form), but with the newly added credentials.
435 }
443 }
444 }
447 // Remove any possible usernames that could be credit cards or SSN for privacy
448 // reasons. Also remove duplicates, both in other_possible_usernames and
449 // between other_possible_usernames and username_value.
456 }
460 }
469 // This wasn't the selected login but it used to be preferred.
474 }
475 }
476 }
481 // If we're doing an Update, we either autofilled correctly and need to
482 // update the stats, or the user typed in a new password for autofilled
483 // username, or the user selected one of the non-preferred matches,
484 // thus requiring a swap of preferred bits.
492 }
494 // Update metadata.
497 // Check to see if this form is a candidate for password generation.
502 // Remove alternate usernames. At this point we assume that we have found
503 // the right username.
506 // Update the new preferred login.
508 // An other possible username is selected. We set this selected username
509 // as the real username. The PasswordStore API isn't designed to update
510 // username, so we delete the old credentials and add a new one instead.
519 // Note origin.spec().length > signon_realm.length implies the origin has a
520 // path, since signon_realm is a prefix of origin for HTML password forms.
521 //
522 // The user logged in successfully with one of our autofilled logins on a
523 // page with non-empty path, but the autofilled entry was initially saved/
524 // imported with an empty path. Rather than just mark this entry preferred,
525 // we create a more specific copy for this exact page and leave the "master"
526 // unchanged. This is to prevent the case where that master login is used
527 // on several sites (e.g site.com/a and site.com/b) but the user actually
528 // has a different preference on each site. For example, on /a, he wants the
529 // general empty-path login so it is flagged as preferred, but on /b he logs
530 // in with a different saved entry - we don't want to remove the preferred
531 // status of the former because upon return to /a it won't be the default-
532 // fill match.
533 // TODO(timsteele): Bug 1188626 - expire the master copies.
540 }
541 }
551 }
552 }
553 }
555 }
559 // We check to see if the saved form_data is the same as the observed
560 // form_data, which should never be true for passwords saved on account
561 // creation forms. This check is only made the first time a password is used
562 // to cut down on false positives. Specifically a site may have multiple login
563 // forms with different markup, which might look similar to a signup form.
567 // Ignore |pending_structure| if its FormData has no fields. This is to
568 // weed out those credentials that were saved before FormData was added
569 // to PasswordForm. Even without this check, these FormStructure's won't
570 // be uploaded, but it makes it hard to see if we are encountering
571 // unexpected errors.
577 // Note that this doesn't guarantee that the upload succeeded, only that
578 // |pending.form_data| is considered uploadable.
582 }
583 }
584 }
585 }
589 // For scoring of candidate login data:
590 // The most important element that should match is the origin, followed by
591 // the action, the password name, the submit button name, and finally the
592 // username input field name.
593 // Exact origin match gives an addition of 64 (1 << 6) + # of matching url
594 // dirs.
595 // Partial match gives an addition of 32 (1 << 5) + # matching url dirs
596 // That way, a partial match cannot trump an exact match even if
597 // the partial one matches all other attributes (action, elements) (and
598 // regardless of the matching depth in the URL path).
599 // If public suffix origin match was not used, it gives an addition of
600 // 16 (1 << 4).
603 // This check is here for the most common case which
604 // is we have a single match in the db for the given host,
605 // so we don't generally need to walk the entire URL path (the else
606 // clause).
609 // Walk the origin URL paths one directory at a time to see how
610 // deep the two match.
618 depth++;
619 score++;
620 }
621 // do we have a partial match?
623 }
635 }
638 }
642 }
646 }