1// Copyright 2016 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5// Data models to interface with legacy Autofill API.
6
7syntax = "proto2";
8
9option optimize_for = LITE_RUNTIME;
10
11package autofill;
12
13import "password_requirements.proto";
14
15// Request to query field suggestions for forms in a page from legacy Autofill
16// API.
17// Next available id: 15
18message AutofillQueryContents {
19  reserved 11;  // Reserved for server use.
20  required string client_version = 1;
21  repeated group Form = 2 {
22    required fixed64 signature = 3;
23    optional AutofillRandomizedFormMetadata form_metadata = 12;
24    repeated group Field = 4 {
25      required fixed32 signature = 5;
26      optional string name = 8;
27      optional string type = 9;  // Control type.
28      optional AutofillRandomizedFieldMetadata field_metadata = 13;
29    }
30  }
31  repeated int64 experiments = 14;
32}
33
34// Response from Autofill query on the legacy API that gives field suggestions
35// for forms of a page in a flattened representation. The fields are returned in
36// the exact same order as filled in the request.
37// Next available id: 10
38message AutofillQueryResponseContents {
39  optional bool upload_required = 1 [deprecated = true];
40  repeated group Field = 2 {
41    required fixed32 overall_type_prediction = 3;
42    // Detailed list of all possible predictions (including
43    // |overall_type_prediction| as the first item).
44    message FieldPrediction {
45      // The predicted field type.
46      optional fixed32 type = 1;
47
48      // True if the serverside classification believes that the field
49      // may be pre-filled with a placeholder in the value attribute.
50      optional bool may_use_prefilled_placeholder = 2;
51    }
52    repeated FieldPrediction predictions = 7;
53
54    // For fields of type NEW_PASSWORD and ACCOUNT_CREATION_PASSWORD, this may
55    // specify requirements for the generation of passwords.
56    optional PasswordRequirementsSpec password_requirements = 9;
57  }
58}
59
60// This message contains a randomized encoding of a string, where each bit
61// in the encoded string is randomly sent as either the true value seen by
62// the client, or random noise. The mapping of specific bits in the encoded
63// string back to bits in the original string is specified by the EncodingType.
64message AutofillRandomizedValue {
65  enum EncodingType {
66    // Reserved default value. Should never be sent over the wire.
67    UNSPECIFIED_ENCODING_TYPE = -1;
68
69    // This string encodes only one bit, bit N, for each byte.
70    BIT_0 = 0;
71    BIT_1 = 1;
72    BIT_2 = 2;
73    BIT_3 = 3;
74    BIT_4 = 4;
75    BIT_5 = 5;
76    BIT_6 = 6;
77    BIT_7 = 7;
78
79    // For each byte, the encoded value contains even or odd bits only.
80    EVEN_BITS = 8;
81    ODD_BITS = 9;
82
83    // The encoded value contains all of the bits.
84    ALL_BITS = 10;
85  }
86
87  // Selector denoting the source bits to which the encoded bits correspond.
88  optional EncodingType encoding_type = 1 [default = UNSPECIFIED_ENCODING_TYPE];
89
90  // The encoded bits. Only the bits denoted by |encoding_type| are included in
91  // |encoded_bits|.
92  //
93  // BIT_K encodings:
94  //    each randomized bit i in |encoded_bits| corresponds to bit k of the byte
95  //    at the corresponding offset i of the original metadata value, up to
96  //    i=64 (8 bytes).
97  //
98  // EVEN_BITS encoding:
99  //     each randomized bit i in |encoded_bits| corresponds to bit 2*i of the
100  //     original metadata value, up to i=256 (32 bytes).
101  //
102  // ODD_BITS encoding:
103  //     each randomized bit i in |encoded_bits| corresponds to bit 2*i+1 of the
104  //     original metadata value, up to i=256 (32 bytes).
105  //
106  // ALL_BITS encoding:
107  //     each bit i in |encoded_bits| corresponds to bit i of the original
108  //     metadata value, up to i=512 (64 bytes).
109  //
110  // The encoded data is generally not user data, however, it is possible that
111  // user visible metadata (like the Label for an input field) could be
112  // personalized and thus contains user data (possibly PII). For the ALL_BITS
113  // encoding, each randomized byte has a 10% probability of being encoded 1:1
114  // as the true byte seen by the client, even if some of those bits were
115  // transmitted as noise. For all of the other encodings, the encoded bits
116  // does not encode any full bytes.
117  optional bytes encoded_bits = 2;
118
119  // 32-bit checksum before randomization (passed in clear text). Note that
120  // this value may not be present; for now, it is only stored for metadata
121  // values of type FORM_URL.
122  optional fixed32 checksum = 3;
123}
124
125// Describes how the button is implemented in HTML source. Corresponds to
126// the mojo ButtonTitleType enum defined in
127// components/autofill/core/common/mojom/autofill_types.mojom.h
128enum ButtonTitleType {
129  NONE = 0;
130  BUTTON_ELEMENT_SUBMIT_TYPE = 1;  // <button type='submit'>
131  BUTTON_ELEMENT_BUTTON_TYPE = 2;  // <button type='button'>
132  INPUT_ELEMENT_SUBMIT_TYPE = 3;   // <input type='submit'>
133  INPUT_ELEMENT_BUTTON_TYPE = 4;   // <input type='button'>
134  HYPERLINK = 5;                   // e.g. <a class='button'>
135  DIV = 6;                         // e.g. <div id='submit'>
136  SPAN = 7;                        // e.g. <span name='btn'>
137}
138
139// The collection of autofill field metadata to be sent using randomization.
140message AutofillRandomizedFormMetadata {
141  // Form element id. Example: <form id="XXXXXXXX">
142  optional AutofillRandomizedValue id = 1;
143
144  // Form element name. Example: <form name="XXXXXXXX">
145  optional AutofillRandomizedValue name = 2;
146
147  // Form element action. Example: <form action="XXXXXXXX">
148  optional AutofillRandomizedValue action = 3;
149
150  // Location of form as URL.
151  optional AutofillRandomizedValue url = 4;
152
153  // Information about a button's title (sync with another ButtonTitle in this
154  // proto).
155  message ButtonTitle {
156    // Text showed on the button.
157    optional AutofillRandomizedValue title = 1;
158
159    // Describes how the button is implemented in HTML source.
160    optional ButtonTitleType type = 2;
161  }
162  // Titles of form's buttons. Example: <input type="submit" value="XXXXX">
163  repeated ButtonTitle button_title = 5;
164
165  reserved 6;
166}
167
168// The collection of autofill field metadata to be sent using randomization.
169message AutofillRandomizedFieldMetadata {
170  // Input element id. Example: <input id="XXXXXXXX">
171  optional AutofillRandomizedValue id = 1;
172
173  // Input element name. Example:  <input name="XXXXXXXX">
174  optional AutofillRandomizedValue name = 2;
175
176  // Input element type. Example: <input type="XXXXXXXX">
177  optional AutofillRandomizedValue type = 3;
178
179  // Input field label value seen by the user, either explicitly annotated in
180  // the DOM or inferred by the client.
181  //
182  // The value encountered by the client may be personalized (for example:
183  // "Please enter the password for foo@bar.net"). The system will learn the
184  // common/static prefix and determine that the personalized substring is
185  // noise. That said, for a given upload using the ALL_BITS encoding, each
186  // byte has a 10% probability or matching the original plaintext byte and
187  // a 1 in 10^m chance of the full m-character string being uploaded as
188  // plaintext. The other encodings only send partial bytes.
189  //
190  // Example:  <label for="id">XXXXXXX</label>
191  optional AutofillRandomizedValue label = 4;
192
193  // Input field label value exposed to the user via ARIA.
194  // Example 1: <input aria-label="XXXXXX>
195  // Example 2: <div id="foo">XXXXXXX</div>
196  //            <input aria-labelledby="foo">
197  optional AutofillRandomizedValue aria_label = 5;
198
199  // Input field description exposed to the user via ARIA.
200  // Example:
201  //     <div id="foo">XXXXXXX</div>
202  //     <input aria-describedby="foo">
203  optional AutofillRandomizedValue aria_description = 6;
204
205  // CSS class for the input element.
206  // Example: <input class="XXXXXXXX">
207  optional AutofillRandomizedValue css_class = 7;
208
209  // Placeholder text for the input element.
210  // Example: <input placeholder="XXXXXXXX">
211  optional AutofillRandomizedValue placeholder = 8;
212
213  // Hash of the initial value of the field. We want to learn if the initial
214  // value of this field is personalized to the user (we will learn that the
215  // value is noise) or if it is a placeholder in disguise (we will learn a
216  // constant hash).
217  //
218  // Example: <input value="VVVVVVV">
219  //          XXXXXXXX = hash("VVVVVVV"")
220  optional AutofillRandomizedValue initial_value_hash = 9;
221}
222
223// This message contains information about the field types in a single form.
224// It is sent by the toolbar to contribute to the field type statistics.
225// Next available id: 41
226message AutofillUploadContents {
227  required string client_version = 1;
228  required fixed64 form_signature = 2;
229
230  // The secondary form signature is calculated based on field types instead of
231  // names and is used if the primary one is unstable, i.e. the field names
232  // change on every page load.
233  optional fixed64 secondary_form_signature = 34;
234
235  // True if the autofill feature was used to fill this form, false otherwise.
236  required bool autofill_used = 3;
237
238  // A string representing a bit array of what personal information items
239  // the user has entered in the autofill settings dialog.
240  // The corresponding bit is set if the user has that particular
241  // item entered and is not set otherwise.
242  required string data_present = 4;
243
244  // List of the fields in the form and their types.
245  repeated group Field = 5 {
246    // Field identification inside the current form.
247    required fixed32 signature = 6;
248
249    // Type of the field, e.g. what type of personal information did the user
250    // enter in that field before form submission. There is a predefined
251    // enum of types located at
252    // components/autofill/core/browser/field_types.h
253    // AutoFillFieldType
254    repeated fixed32 autofill_type = 7;
255
256    // The value of the name attribute on the field, if present. Otherwise, the
257    // value of the id attribute. See HTMLFormControlElement::nameForAutofill.
258    // TODO(850606): Deprecate once randomized metadata is launched.
259    optional string name = 8;
260
261    // The value of the autocomplete attribute on the field, if present.
262    // TODO(850606): Deprecate once randomized metadata is launched.
263    optional string autocomplete = 9;
264
265    // The type of input control for this field (e.g. text, textarea, email).
266    // TODO(850606): Deprecate once randomized metadata is launched.
267    optional string type = 10;
268
269    // The field-level metadata associated with this field, randomized.
270    optional AutofillRandomizedFieldMetadata randomized_field_metadata = 33;
271
272    enum PasswordGenerationType {
273      NO_GENERATION = 0;
274      AUTOMATICALLY_TRIGGERED_GENERATION_ON_SIGN_UP_FORM = 1;
275      AUTOMATICALLY_TRIGGERED_GENERATION_ON_CHANGE_PASSWORD_FORM = 2;
276      MANUALLY_TRIGGERED_GENERATION_ON_SIGN_UP_FORM = 3;
277      MANUALLY_TRIGGERED_GENERATION_ON_CHANGE_PASSWORD_FORM = 4;
278      IGNORED_GENERATION_POPUP = 5;
279    }
280    // The type of password generation, if it happened.
281    optional PasswordGenerationType generation_type = 17;
282
283    // The value of the class attribute on the field, if present.
284    // TODO(850606): Deprecate once randomized metadata is launched.
285    optional string css_classes = 19;
286
287    // The properties mask (i.e. whether the field was autofilled, user
288    // modified, etc.) See FieldPropertiesFlags.
289    optional uint32 properties_mask = 20;
290
291    // The value of the id attribute, if it differs from the name attribute.
292    // Otherwise, this field is absent.
293    // TODO(850606): Deprecate once randomized metadata is launched.
294    optional string id = 21;
295
296    // True iff the user changed generated password. If there was no generation,
297    // the field is absent.
298    optional bool generated_password_changed = 22;
299
300    enum VoteType {
301      NO_INFORMATION = 0;
302      // A credential saved on one form (typically a signup form) was used on a
303      // login form. The vote applies to the first (signup) form.
304      CREDENTIALS_REUSED = 1;
305      // When reusing a credential, the username value is not the saved
306      // username, but another value, which appeared on the form where we saved.
307      // The correct field is voted for.
308      USERNAME_OVERWRITTEN = 2;
309      // In the save prompt, the user corrected the username value to another
310      // value from the form. The new field is voted for.
311      USERNAME_EDITED = 3;
312      // The username field was detected by the base heuristic (take the last
313      // non-password field before the first password field). The value is not
314      // used at this point.
315      BASE_HEURISTIC = 4;
316      // The username field was detected by HTML-based detector. The value is
317      // not used at this point.
318      HTML_CLASSIFIER = 5;
319      // A saved credential was used for the first time on a submitted form. The
320      // vote applies to the form being submitted.
321      FIRST_USE = 6;
322    }
323
324    // The type of password-related vote. If |autofill_type| is not a USERNAME
325    // or any PASSWORD vote, then the field is absent. This field describes the
326    // context of the vote.
327    optional VoteType vote_type = 23;
328
329    message AutofillTypeValiditiesPair {
330      // Type of the field, e.g. what type of personal data the user entered in
331      // that field before form submission. A list of all data types can be
332      // found in:
333      required int32 type = 1;
334      // The validity of the type, which is determined based on the validity of
335      // the user's profile data. A list of all validity states can be found
336      // here: components/autofill/core/browser/field_types.h
337      // The validity state of a type is used to experiment if only using valid
338      // data would result in better predictions.
339      repeated int32 validity = 2;
340    }
341    // A list of possible types for the field with their corresponding validity
342    // states based on the user's data.
343    repeated AutofillTypeValiditiesPair autofill_type_validities = 35;
344
345    // A low-entropy hash of the field's initial value before user-interactions
346    // or automatic fillings. This field is used to detect static
347    // placeholders.
348    optional uint32 initial_value_hash = 40;
349  }
350  // Signature of the form action host (e.g. Hash64Bit("example.com")).
351  optional fixed64 action_signature = 13;
352
353  // Signature of the form which is used for password generation debugging.
354  // Currently is used when password generated on a password field of a
355  // registration form is used on a password field of a login form.
356  optional fixed64 login_form_signature = 14;
357
358  // Whether a form submission event was observed.
359  optional bool submission = 15;
360
361  // The form name.
362  optional string form_name = 16;
363
364  // True if the non-obfuscated password values were shown to the user.
365  optional bool passwords_revealed = 24;
366
367  // The section of noisified data about password.
368  // Upload only one of character class attributes (|password_has_*|). Noisified
369  // length is always uploaded.
370  // Upload only when a password is saved.
371  // Used to adjust the password generator's settings to site's requirements.
372
373  // Whether the password has any lowercase letter.
374  optional bool password_has_lowercase_letter = 25;
375
376  // Deprecated since M80: Whether the password has any uppercase letter.
377  optional bool password_has_uppercase_letter = 26 [deprecated = true];
378
379  // Deprecated since M80: Whether the password has any digit.
380  optional bool password_has_numeric = 27 [deprecated = true];
381
382  // Whether the password has any special symbol.
383  optional bool password_has_special_symbol = 28;
384
385  // Noisified password length.
386  optional uint32 password_length = 29;
387
388  // If |password_has_special_symbol| is true, this field contains noisified
389  // information about a special symbol used in a user-created password stored
390  // in ASCII code.
391  // Otherwise, this field is unset.
392  optional uint32 password_special_symbol = 39;
393
394  // The end of the section of password attributes.
395
396  // Event observed by the password manager which indicated that the form was
397  // successfully submitted. Corresponds to |mojom::SubmissionIndicatorEvent|.
398  enum SubmissionIndicatorEvent {
399    NONE = 0;
400    HTML_FORM_SUBMISSION = 1;
401    SAME_DOCUMENT_NAVIGATION = 2;
402    XHR_SUCCEEDED = 3;
403    FRAME_DETACHED = 4;
404    DEPRECATED_MANUAL_SAVE = 5;  // obsolete
405    DOM_MUTATION_AFTER_XHR = 6;
406    PROVISIONALLY_SAVED_FORM_ON_START_PROVISIONAL_LOAD = 7;
407    DEPRECATED_FILLED_FORM_ON_START_PROVISIONAL_LOAD = 8;            // unused
408    DEPRECATED_FILLED_INPUT_ELEMENTS_ON_START_PROVISIONAL_LOAD = 9;  // unused
409    PROBABLE_FORM_SUBMISSION = 10;
410    CHANGE_PASSWORD_FORM_CLEARED = 11;
411  }
412
413  // The type of the event that was taken as an indication that the form has
414  // been successfully submitted.
415  optional SubmissionIndicatorEvent submission_event = 30;
416
417  // The language of the page on which this form appears.
418  optional string language = 31;
419
420  // Form-level metadata observed by the client, randomized.
421  optional AutofillRandomizedFormMetadata randomized_form_metadata = 32;
422
423  // Information about a button's title (sync with another ButtonTitle in this
424  // proto).
425  message ButtonTitle {
426    // Text showed on the button.
427    optional string title = 1;
428
429    // Describes how the button is implemented in HTML source.
430    optional ButtonTitleType type = 2;
431  }
432  // Titles of form's buttons.
433  // TODO(850606): Deprecate once randomized metadata is launched.
434  repeated ButtonTitle button_title = 36;
435
436  // Whether the fields are enclosed by a <form> tag or are unowned elements.
437  optional bool has_form_tag = 37;
438
439  // Captures whether or not this upload was a candidate for throttling.
440  optional bool was_throttleable = 38;
441}
442
443// This proto contains information about the validity of each field in an
444// autofill profile. It is used to transfer the results of running the profile
445// validation pipeline on the server side to the client via ChromeSync
446// PriorityPreferences. An identical copy of this proto is maintained in
447// the server code base.
448message ProfileValidityMap {
449  // Map from autofill type to the validity of its value in the profile.
450  //
451  // Key should be one of the enum values from ServerFieldType. Values should be
452  // from the AutofillProfile::ValidityState. Plain integers are used
453  // instead of enums because proto2 treats unknown enum values as unknown
454  // fields, which is confusing when the enums are in maps.
455  map<int32, int32> field_validity_states = 1;
456}
457
458// Map from profile GUIDs to profile validity maps for that profile. Each
459// message should contain entries for all profiles from a single user.
460message UserProfileValidityMap {
461  map<string, ProfileValidityMap> profile_validity = 1;
462}
463