| blob | 5b5adb7232af677889ed37eb70bfaebee1dfe1d6 |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <algorithm>
50 }
55 kMaxNumActionsTaken);
56 }
61 };
63 // TODO(timsteele): use a hash of some sort in the future?
69 // HTML form case.
70 // At a minimum, username and password element must match.
74 }
76 // When action match is required, the action URL must match, but
77 // the form is allowed to have an empty action URL (See bug 1107719).
78 // Otherwise ignore action URL, this is to allow saving password form with
79 // dynamically changed action URL (See bug 27246).
83 }
85 // If this is a replay of the same form in the case a user entered an invalid
86 // password, the origin of the new form may equal the action of the "first"
87 // form.
92 // Compare origins, ignoring scheme. There is no easy way to do this
93 // with GURL because clearing the scheme would result in an invalid url.
94 // This is for some sites (such as Hotmail) that begin on an http page and
95 // head to https for the retry when password was invalid.
103 after_scheme2,
106 }
108 }
110 }
117 }
122 // Configure the form about to be saved for blacklist status.
128 // Retroactively forget existing matches for this form, so we NEVER prompt or
129 // autofill it again.
138 }
140 // We want to remove existing matches for this form so that the exact
141 // origin match with |blackisted_by_user == true| is the only result that
142 // shows up in the future for this origin URL. However, we don't want to
143 // delete logins that were actually saved on a different page (hence with
144 // different origin URL) and just happened to match this form because of
145 // the scoring algorithm. See bug 1204493.
149 }
150 }
151 }
154 num_passwords_deleted);
156 // Save the pending_credentials_ entry marked as blacklisted.
158 }
163 }
167 }
171 }
174 // This check is permissive, as the user may have generated a password and
175 // then edited it in the form itself. However, even in this case the user
176 // has already given consent, so we treat these cases the same.
178 }
182 // Non-HTML password forms (primarily HTTP and FTP autentication)
183 // do not contain username_element and password_element values.
188 }
192 OtherPossibleUsernamesAction action) {
196 // Make sure the important fields stay the same as the initially observed or
197 // autofilled ones, as they may have changed if the user experienced a login
198 // failure.
199 // Look for these credentials in the list containing auto-fill entries.
203 // The user signed in with a login we autofilled.
206 // Public suffix matches should always be new logins, since we want to store
207 // them so they can automatically be filled in later.
212 // Check to see if we're using a known username but a new password.
218 // |pending_credentials_| is now set. Note we don't update
219 // |pending_credentials_.username_value| to |credentials.username_value|
220 // yet because we need to keep the original username to modify the stored
221 // credential.
225 // User typed in a new, unknown username.
231 }
234 // If the user selected credentials we autofilled from a PasswordForm
235 // that contained no action URL (IE6/7 imported passwords, for example),
236 // bless it with the action URL from the observed form. See bug 1107719.
245 }
253 else
255 }
266 }
268 }
272 }
276 // Note that the result gets deleted after this call completes, but we own
277 // the PasswordForm objects pointed to by the result vector, thus we keep
278 // copies to a minimum here.
281 // These credentials will be in the final result regardless of score.
287 }
288 // Score and update best matches.
290 // This check is here so we can append empty path matches in the event
291 // they don't score as high as others and aren't added to best_matches_.
292 // This is most commonly imported firefox logins. We skip blacklisted
293 // ones because clearly we don't want to autofill them, and secondly
294 // because they only mean something when we have no other matches already
295 // saved in Chrome - in which case they'll make it through the regular
296 // scoring flow below by design. Note signon_realm == origin implies empty
297 // path logins_result, since signon_realm is a prefix of origin for HTML
298 // password forms.
299 // TODO(timsteele): Bug 1269400. We probably should do something more
300 // elegant for any shorter-path match instead of explicitly handling empty
301 // path matches.
306 }
308 // Always keep generated passwords as part of the result set. If a user
309 // generates a password on a signup form, it should show on a login form
310 // even if they have a previous login saved.
311 // TODO(gcasto): We don't want to cut credentials that were saved on signup
312 // forms even if they weren't generated, but currently it's hard to
313 // distinguish between those forms and two different login forms on the
314 // same domain. Filed http://crbug.com/294468 to look into this.
321 }
326 // This new login has a better score than all those up to this point
327 // Note 'this' owns all the PasswordForms in best_matches_.
332 }
335 }
336 // We're done matching now.
341 }
346 // If we don't already have a result with the same username, add the
347 // lower-scored match (if it had equal score it would already be in
348 // best_matches_).
351 }
356 // It is possible we have at least one match but have no preferred_match_,
357 // because a user may have chosen to 'Forget' the preferred match. So we
358 // just pick the first one and whichever the user selects for submit will
359 // be saved as preferred.
364 // Check to see if the user told us to ignore this site in the past.
368 }
370 // If not blacklisted, send a message to allow password generation.
373 // Proceed to autofill.
374 // Note that we provide the choices but don't actually prefill a value if:
375 // (1) we are in Incognito mode, (2) the ACTION paths don't match,
376 // or (3) if it matched using public suffix domain matching.
384 else
388 }
393 // TODO(kaiwang): Remove this function.
395 }
403 // No result means that we visit this site the first time so we don't need
404 // to check whether this site is blacklisted or not. Just send a message
405 // to allow password generation.
408 }
410 }
413 // Ignore change password forms until we have some change password
414 // functionality
417 }
418 // Don't match an invalid SSL form with one saved under secure
419 // circumstances.
422 }
424 }
429 // The new_form is being used to sign in, so it is preferred.
431 // new_form contains the same basic data as observed_form_ (because its the
432 // same form), but with the newly added credentials.
441 }
449 }
450 }
453 // Remove any possible usernames that could be credit cards or SSN for privacy
454 // reasons. Also remove duplicates, both in other_possible_usernames and
455 // between other_possible_usernames and username_value.
462 }
466 }
475 // This wasn't the selected login but it used to be preferred.
480 }
481 }
482 }
487 // If we're doing an Update, we either autofilled correctly and need to
488 // update the stats, or the user typed in a new password for autofilled
489 // username, or the user selected one of the non-preferred matches,
490 // thus requiring a swap of preferred bits.
499 }
501 // Update metadata.
504 // Check to see if this form is a candidate for password generation.
509 // Remove alternate usernames. At this point we assume that we have found
510 // the right username.
513 // Update the new preferred login.
515 // An other possible username is selected. We set this selected username
516 // as the real username. The PasswordStore API isn't designed to update
517 // username, so we delete the old credentials and add a new one instead.
526 // Note origin.spec().length > signon_realm.length implies the origin has a
527 // path, since signon_realm is a prefix of origin for HTML password forms.
528 //
529 // The user logged in successfully with one of our autofilled logins on a
530 // page with non-empty path, but the autofilled entry was initially saved/
531 // imported with an empty path. Rather than just mark this entry preferred,
532 // we create a more specific copy for this exact page and leave the "master"
533 // unchanged. This is to prevent the case where that master login is used
534 // on several sites (e.g site.com/a and site.com/b) but the user actually
535 // has a different preference on each site. For example, on /a, he wants the
536 // general empty-path login so it is flagged as preferred, but on /b he logs
537 // in with a different saved entry - we don't want to remove the preferred
538 // status of the former because upon return to /a it won't be the default-
539 // fill match.
540 // TODO(timsteele): Bug 1188626 - expire the master copies.
547 }
548 }
558 }
559 }
560 }
562 }
566 // We check to see if the saved form_data is the same as the observed
567 // form_data, which should never be true for passwords saved on account
568 // creation forms. This check is only made the first time a password is used
569 // to cut down on false positives. Specifically a site may have multiple login
570 // forms with different markup, which might look similar to a signup form.
574 // Ignore |pending_structure| if its FormData has no fields. This is to
575 // weed out those credentials that were saved before FormData was added
576 // to PasswordForm. Even without this check, these FormStructure's won't
577 // be uploaded, but it makes it hard to see if we are encountering
578 // unexpected errors.
585 // Note that this doesn't guarantee that the upload succeeded, only that
586 // |pending.form_data| is considered uploadable.
590 }
591 }
592 }
593 }
597 // For scoring of candidate login data:
598 // The most important element that should match is the origin, followed by
599 // the action, the password name, the submit button name, and finally the
600 // username input field name.
601 // Exact origin match gives an addition of 64 (1 << 6) + # of matching url
602 // dirs.
603 // Partial match gives an addition of 32 (1 << 5) + # matching url dirs
604 // That way, a partial match cannot trump an exact match even if
605 // the partial one matches all other attributes (action, elements) (and
606 // regardless of the matching depth in the URL path).
607 // If public suffix origin match was not used, it gives an addition of
608 // 16 (1 << 4).
611 // This check is here for the most common case which
612 // is we have a single match in the db for the given host,
613 // so we don't generally need to walk the entire URL path (the else
614 // clause).
617 // Walk the origin URL paths one directory at a time to see how
618 // deep the two match.
626 depth++;
627 score++;
628 }
629 // do we have a partial match?
631 }
643 }
646 }
650 }
654 }
659 observed_form_));
660 }