Improve LoginsHelper to solve iFrame and Cross-Site-Scripting problem

[soner-yuksel]

Problem Description

Actual LoginsHelper script that enables us to save and auto-fill login information needs a refinement so it will enable us to save and auto-fill login information properly on some sites.

For the improvements in the login script changes have to be made towards supporting login suggestions where window can be iframe.contentWindow and injecting into iFrame will be needed, in addition XSS (Cross-Site-Scripting) problem should be solved so it will inject autofill credentials.

Implementation Details

First problems are websites like facebook uses form only for CSS styling. So It never calls form.submit it has no input type=submit or button type=submit. It’s all done through a socket.In this case it is better to just check in our LoginHelper.swift if the URL of the tab changed and then do suggestion to add to login suggest after.

Second problem is related with iFrame + Cross-Site-Scripting. Right now we can’t autofill on reddit because it injects into window. But it doesn’t consider that the window can be iframe.contentWindow and so it ignores injecting into iFrame.

Then it has XSS (Cross-Site-Scripting) problem where it won’t inject autofill credentials into any page that doesn’t have login on wkMessage.frameInfo.isMainFrame

QA test plan

1. Try login to facebook and save login (m.facebook.com) and check If password and username field is filled.
2. Try login to reddit and save login and check if username field is filled.

[kjozwiak]

Went through the following STR/Cases on the various devices/iOS versions mentioned below:

• Note: Basically followed the examples from Improve LoginsHelper to solve iFrame and Cross-Site-Scripting problem  #4113 (comment)

Test Case #1 - Reddit

• ensure that you can login into reddit without any issues
• once logged in, click on the Save Login on the modal that Brave displays
• logout and ensure that the username is filled in but not the password via the login screen

Also ensured that 1Password can be used to fill both username & password and login without any issues

Test Case #1 - FB

• ensure that you can login into reddit without any issues
• once logged in, click on the Save Login on the modal that Brave displays
• logout and ensure that the both the username & password are automatically auto-filled

Also ensured that 1Password can be used to fill both username & password and login without any issues

Devices/iOS versions used during verification:

• Verification PASSED on iPhone 12 running iOS 15.1.1 using 1.33 (21.12.8.23)
• Verification PASSED on iPhone 6+ running iOS 14.6 using 1.33 (21.12.8.23)
• Verification PASSED on iPad Air (3rd Gen) running iOS 15.1 using 1.33 (21.12.8.23)