Readers of this thread may be interested in my PSA about theft of credentials by auto-fill, including the references linked therein (and especially the linked vulnerability demo).
Spoiler Alert: As demonstrated by the ability of Steve Englehardt’s demo site to “sniff” your login credentials, cross-site scripting can still be used to steal credentials that are auto-filled into invisible forms. The patched security vulnerability only prevents auto-filling from occurring when forms are located on pages that have a CSP sandbox response header or that are located inside sandboxed iframes.
If anybody with the requisite technical expertise (e.g., @mgibson) would be willing to provide a technical explanation of what difference this recent patch makes in the context of the more general XSS vulnerability (which apparently still exists), I would be much obliged.