Fill on account select in the password manager behind a flag
This implements, behind a flag, fill on account select in the password
manager. When the --enable-fill-on-account-select flag is used (or set
in chrome://flags), instead of autofilling on page load, the password
manager will mark fields as "autofilled" that it believes it can
appropriately autofill, but it will wait until the user has selected
those fields manually and chooses the appropriate account before filling
them in.
There are two main advantages to this approach. The first is that it
raises the bar for attackers with XSS's to sites in harvesting
passwords. These attackers will not be able to rely on a mere user
gesture before the field is filled; the user now must explicitly choose
the account before it fills. Secondly, it has the possibility of
improving the browsing experience on sites where the password manager
fails to fill correctly, as it won't actually fill until the user
chooses to do so, so if it tries to fill a wrong field, they user will
simply not choose an account.
The most basic part of this CL is quite straightforward in that if the flag is
enabled, it simply stops, marks the fields as autofilled, and does not actually
fill the fields with the credentials. However, there is a more complicated
corner case: forms where the username is not editable, but the password field
is, such as google.com/accounts after a user has logged in once. For these
cases, it was necessary to add additional logic so that the *password* field
can be clicked and the credentials can be selected. This requires a new IPC and
some new autofill plumbing to change the dropdown menu, which was added in a
previous CL, while this CL sets the appropriate option in the IPC.
BUG=410963
Review URL: https://codereview.chromium.org/773573004
Cr-Commit-Position: refs/heads/master@{#308159}
10 files changed
