It has been suggested that we use action URLs to help better filter against password stealing. That said, there are considerations in terms of usability and web compatibility that may have the effect of pushing users to less secure versions instead of jumping through the hoops. I think the below chart gives a good idea of how I think we should treat the varying cases.
|Action URL domain||First visit||After action URL change||Rationale|
|Same domain||Allow save||Allow use||If you're submitting to the exact domain you're on, odds are they control enough to get your password anyway|
|Same TLD (trunk)||Allow save||Allow use||Same argument as the same domain, roughly. They can already use domain cookies to leak your sessions to the other domain anyway, so we're not changing much here|
|Different TLD (trunk)||Warn, but allow save||Warn, provide enough details for users to decide whether to autofill||Clearly a rare case, and likely risky. Legit sites can easily ensure no one gets the warning.|
|Different domain (1.8)||Save, and retain the host info (i.e. if foo.com submits to bar.com, save bar.com)||Autofill if the host matches, otherwise fail silently||Hopefully the lack of autofill is a tipoff. If the user has already submitted their user/pass to a phisher, we might as well save it...|