- // Some login forms have onSubmit handlers that put a hash of the password
- // into a hidden field and then clear the password (http://crbug.com/28910).
- // This method gets called before any of those handlers run, so save away
- // a copy of the password in case it gets lost.
- scoped_ptr<PasswordForm> password_form(CreatePasswordForm(form));
- if (password_form)
- provisionally_saved_forms_[frame].reset(password_form.release());
+ // Forms submitted via XHR are not seen by WillSubmitForm if the default
+ // onsubmit handler is overridden. Such submission first gets detected in
+ // DidStartProvisionalLoad, which no longer knows about the particular form,
+ // and uses the candidate stored in |provisionally_saved_forms_|.
+ //
+ // User-typed password will get stored to |provisionally_saved_forms_| in
+ // TextDidChangeInTextField. Autofilled or JavaScript-copied passwords need to
+ // be saved here.
+ //
+ // Only non-empty passwords are saved here. Empty passwords were likely
+ // cleared by some scripts (http://crbug.com/28910, http://crbug.com/391693).
+ // Had the user cleared the password, |provisionally_saved_forms_| would
+ // already have been updated in TextDidChangeInTextField.
+ ProvisionallySavePassword(frame, form, RESTRICTION_NON_EMPTY_PASSWORD);