If OmniWeb saves passwords in the Keychain and normally fills them in on a web form, does it not have to check that the domain is correct? Would not its failing to fill in a password in the normal way serve as an warning that something is awry?