Don't limit 'Login not secure' warning to password fields

Per the specs at go/fns-ui-spec, the "Login not secure" warning should
show up in username fields as well as password fields. Which makes sense
because usernames are sensitive information too. Thus, this CL populates
the "Login not secure" warning in the suggestions dropdown of a password
form regardless of whether the field is a password field or not.

BUG=675696
TEST=Enable #enable-http-form-warning in chrome://flags and relaunch
Chrome. Save a username/password in the Name/Password form in
http://rsolomakhin.github.io/autofill/. Focus the "Name" field and
observe a "Login not secure" warning in the autofill dropdown.

Review-Url: https://codereview.chromium.org/2585173006
Cr-Commit-Position: refs/heads/master@{#439837}

components/autofill_strings.grdp

@@ -197,7 +197,7 @@
     Use password for:
   </message>
 
-  <message name="IDS_AUTOFILL_PASSWORD_HTTP_WARNING_MESSAGE" desc="Chrome can help the user fill password web forms by showing a pop-up with text suggestions next to a focused password text field. If the form is on an insecure site (e.g., http://), this text is shown on top of those suggestions.">
+  <message name="IDS_AUTOFILL_LOGIN_HTTP_WARNING_MESSAGE" desc="Chrome can help the user fill login web forms by showing a pop-up with text suggestions next to a focused text field. If the form is on an insecure site (e.g., http://), this text is shown on top of those suggestions.">
     Login not secure
   </message>
 

components/password_manager/core/browser/password_autofill_manager.cc

@@ -208,34 +208,33 @@ void PasswordAutofillManager::OnShowPasswordSuggestions(
         IDS_AUTOFILL_PASSWORD_FIELD_SUGGESTIONS_TITLE));
     password_field_suggestions.frontend_id = autofill::POPUP_ITEM_ID_TITLE;
     suggestions.insert(suggestions.begin(), password_field_suggestions);
+  }
 
-    GURL origin = (fill_data_it->second).origin;
-
-    bool is_context_secure = autofill_client_->IsContextSecure(origin) &&
-                             (!origin.is_valid() || !origin.SchemeIs("http"));
-    if (!is_context_secure && security_state::IsHttpWarningInFormEnabled()) {
-      std::string icon_str;
-
-      // Show http info icon for http sites.
-      if (origin.is_valid() && origin.SchemeIs("http")) {
-        icon_str = "httpWarning";
-      } else {
-        // Show https_invalid icon for broken https sites.
-        icon_str = "httpsInvalid";
-      }
+  GURL origin = (fill_data_it->second).origin;
+  bool is_context_secure = autofill_client_->IsContextSecure(origin) &&
+                           (!origin.is_valid() || !origin.SchemeIs("http"));
+  if (!is_context_secure && security_state::IsHttpWarningInFormEnabled()) {
+    std::string icon_str;
+
+    // Show http info icon for http sites.
+    if (origin.is_valid() && origin.SchemeIs("http")) {
+      icon_str = "httpWarning";
+    } else {
+      // Show https_invalid icon for broken https sites.
+      icon_str = "httpsInvalid";
+    }
 
-      autofill::Suggestion password_field_http_warning_suggestion(
-          l10n_util::GetStringUTF8(IDS_AUTOFILL_PASSWORD_HTTP_WARNING_MESSAGE),
-          l10n_util::GetStringUTF8(IDS_AUTOFILL_HTTP_WARNING_LEARN_MORE),
-          icon_str, autofill::POPUP_ITEM_ID_HTTP_NOT_SECURE_WARNING_MESSAGE);
+    autofill::Suggestion http_warning_suggestion(
+        l10n_util::GetStringUTF8(IDS_AUTOFILL_LOGIN_HTTP_WARNING_MESSAGE),
+        l10n_util::GetStringUTF8(IDS_AUTOFILL_HTTP_WARNING_LEARN_MORE),
+        icon_str, autofill::POPUP_ITEM_ID_HTTP_NOT_SECURE_WARNING_MESSAGE);
 #if !defined(OS_ANDROID)
       suggestions.insert(suggestions.begin(), autofill::Suggestion());
       suggestions.front().frontend_id = autofill::POPUP_ITEM_ID_SEPARATOR;
 #endif
-      suggestions.insert(suggestions.begin(),
-                         password_field_http_warning_suggestion);
-    }
+      suggestions.insert(suggestions.begin(), http_warning_suggestion);
   }
+
   autofill_client_->ShowAutofillPopup(bounds,
                                       text_direction,
                                       suggestions,

components/password_manager/core/browser/password_autofill_manager_unittest.cc

@@ -603,7 +603,7 @@ TEST_F(PasswordAutofillManagerTest, NonSecurePasswordFieldHttpWarningMessage) {
   // String "Login not secure" shown as a warning messages if password form is
   // on http sites.
   base::string16 warning_message =
-      l10n_util::GetStringUTF16(IDS_AUTOFILL_PASSWORD_HTTP_WARNING_MESSAGE);
+      l10n_util::GetStringUTF16(IDS_AUTOFILL_LOGIN_HTTP_WARNING_MESSAGE);
 
   // String "Use password for:" shown when displaying suggestions matching a
   // username and specifying that the field is a password field.
@@ -647,6 +647,62 @@ TEST_F(PasswordAutofillManagerTest, NonSecurePasswordFieldHttpWarningMessage) {
       0);
 }
 
+// Tests that the "Login not secure" warning shows up in non-password
+// fields of login forms.
+TEST_F(PasswordAutofillManagerTest, NonSecureUsernameFieldHttpWarningMessage) {
+  auto client = base::MakeUnique<TestPasswordManagerClient>();
+  auto autofill_client = base::MakeUnique<MockAutofillClient>();
+  InitializePasswordAutofillManager(client.get(), autofill_client.get());
+
+  gfx::RectF element_bounds;
+  autofill::PasswordFormFillData data;
+  data.username_field.value = test_username_;
+  data.password_field.value = test_password_;
+  data.origin = GURL("http://foo.test");
+
+  int dummy_key = 0;
+  password_autofill_manager_->OnAddPasswordFormMapping(dummy_key, data);
+
+  // String "Login not secure" shown as a warning messages if password form is
+  // on http sites.
+  base::string16 warning_message =
+      l10n_util::GetStringUTF16(IDS_AUTOFILL_LOGIN_HTTP_WARNING_MESSAGE);
+
+  // Http warning message won't show with switch flag off.
+  EXPECT_CALL(
+      *autofill_client,
+      ShowAutofillPopup(
+          element_bounds, _,
+          SuggestionVectorValuesAre(testing::ElementsAre(test_username_)), _));
+  password_autofill_manager_->OnShowPasswordSuggestions(
+      dummy_key, base::i18n::RIGHT_TO_LEFT, test_username_, 0, element_bounds);
+
+  SetHttpWarningEnabled();
+
+  // Http warning message shows for non-secure context and switch flag on, so
+  // there are 2 suggestions (+ 1 separator on desktop) in total, and the
+  // message comes first among suggestions.
+  auto elements = testing::ElementsAre(warning_message,
+#if !defined(OS_ANDROID)
+                                       base::string16(),
+#endif
+                                       test_username_);
+
+  EXPECT_CALL(*autofill_client,
+              ShowAutofillPopup(element_bounds, _,
+                                SuggestionVectorValuesAre(elements), _));
+  password_autofill_manager_->OnShowPasswordSuggestions(
+      dummy_key, base::i18n::RIGHT_TO_LEFT, test_username_, 0, element_bounds);
+
+  // Accepting the warning message should trigger a call to open the url and
+  // hide the popup.
+  EXPECT_CALL(*autofill_client, ShowHttpNotSecureExplanation());
+  EXPECT_CALL(*autofill_client, HideAutofillPopup());
+  password_autofill_manager_->DidAcceptSuggestion(
+      base::string16(), autofill::POPUP_ITEM_ID_HTTP_NOT_SECURE_WARNING_MESSAGE,
+      0);
+}
+
 TEST_F(PasswordAutofillManagerTest, SecurePasswordFieldHttpWarningMessage) {
   auto client = base::MakeUnique<TestPasswordManagerClient>();
   auto autofill_client = base::MakeUnique<MockAutofillClient>();