New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 13 users

Issue metadata

Status: Started
Owner:
Buried. Ping if important.
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug

Blocking:
issue 435547



Sign in to add a comment
link

Issue 504300: Disallow requests with basic auth credentials in URL

Reported by igrigo...@chromium.org, Jun 25 2015 Project Member

Issue description

- Fetch API does not allow such requests [1] 
- IE does not allow such requests already [2]

In light of the fact that IE already disallows such requests, I think we should consider doing the same in Chrome.

Additional context: https://github.com/w3c/resource-timing/issues/7

[1] https://github.com/whatwg/fetch/issues/26
[2]https://github.com/w3c/resource-timing/issues/7#issuecomment-114988822
 

Comment 1 by mkwst@chromium.org, Jun 25 2015

"disallow" in which contexts? I don't think it's web compatible, for instance, to block this kind of thing as subresource requests entirely (though I'd dearly love to).

See https://www.chromestatus.com/metrics/feature/timeline/popularity/532 for the current stats (0.008% of page views).

Comment 2 by igrigo...@chromium.org, Jun 25 2015

Ah, neat.. Didn't know we're tracking usage numbers on this! 

Re, not web compatible: maybe? Given that IE already disallows such requests, and apparently has done so for a while, I figure its worth considering.

Comment 3 by mkwst@chromium.org, Jun 25 2015

Cc: tsepez@chromium.org
Last time we tried to change behavior here, we got yelled at by folks running webcams which used basic auth. tsepez@ has context.

Basically, if we want to take another run at it, I'll gleefully write a patch, but I don't have the time to drive the discussion on blink-dev@/net-dev@.

Comment 4 by kinuko@chromium.org, Jul 14 2016

Labels: -Pri-2 Needs-Feedback Pri-3
Status: Available (was: Untriaged)
Do we have an appetite to pursue this idea? Looks like first we need some public discussion if we really want to make this happen.

Comment 5 by mkwst@chromium.org, Jul 14 2016

Cc: palmer@chromium.org
Numbers in https://www.chromestatus.com/metrics/feature/timeline/popularity/532 are down to 0.003% of page views.

Tom, Chris, and Chris, are any of you interested in poking at this?

Also, should we dupe this against https://bugs.chromium.org/p/chromium/issues/detail?id=585109 (or vice versa)?

Comment 6 by palmer@google.com, Aug 5 2016

Cc: brettw@chromium.org jww@chromium.org f...@chromium.org rsleevi@chromium.org asanka@chromium.org jsc...@chromium.org
 Issue 585109  has been merged into this issue.

Comment 7 by palmer@google.com, Aug 5 2016

Unfortunately, I'm not in a place where I can take on more work right now. GoodFirstBug, perhaps?

Comment 8 by mkwst@chromium.org, Jan 24 2017

Owner: mkwst@chromium.org
Status: Started (was: Available)
Intent to Remove at https://groups.google.com/a/chromium.org/d/msg/blink-dev/lx-U_JR2BF0/Hsg1fiZiBAAJ.

Standards discussion at https://github.com/whatwg/fetch/pull/465.

Comment 9 by mkwst@chromium.org, Jan 24 2017

(Working on subresources only in this intent; I don't have any numbers for top-level.)

Comment 10 by mkwst@chromium.org, Jan 25 2017

Blocking: 435547

Comment 11 by bugdroid1@chromium.org, Jan 25 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/81c970230a492e70e9a580c38e4de8a3f0fcc29b

commit 81c970230a492e70e9a580c38e4de8a3f0fcc29b
Author: mkwst <mkwst@chromium.org>
Date: Wed Jan 25 16:48:45 2017

Add deprecation messages for blocked subresource types.

Intent 1: https://groups.google.com/a/chromium.org/d/msg/blink-dev/bIJdwwoQ98U/-F1aL2FgBAAJ
Intent 2: https://groups.google.com/a/chromium.org/d/msg/blink-dev/lx-U_JR2BF0/Hsg1fiZiBAAJ

BUG=435547,504300

Review-Url: https://codereview.chromium.org/2647283007
Cr-Commit-Position: refs/heads/master@{#446038}

[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/inspector/network/network-xhr-replay-expected.txt
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/multiple-report-policies-expected.txt
[add] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/security/deprecated-subresource-requests-expected.txt
[add] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/security/deprecated-subresource-requests.html
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/security/location-href-clears-username-password-expected.txt
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/failed-auth-expected.txt
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/logout-expected.txt
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/null-auth-expected.txt
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/remember-bad-password-expected.txt
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/workers/referer-expected.txt
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/LayoutTests/security/block-test-expected.txt
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/Source/core/frame/Deprecation.cpp
[modify] https://crrev.com/81c970230a492e70e9a580c38e4de8a3f0fcc29b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Comment 12 by bugdroid1@chromium.org, Jan 27 2017

Project Member
Labels: merge-merged-2987
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/781c4e2bbdd94ae563f4540136a2384443e5ec5d

commit 781c4e2bbdd94ae563f4540136a2384443e5ec5d
Author: Mike West <mkwst@google.com>
Date: Fri Jan 27 08:06:12 2017

Add deprecation messages for blocked subresource types.

Intent 1: https://groups.google.com/a/chromium.org/d/msg/blink-dev/bIJdwwoQ98U/-F1aL2FgBAAJ
Intent 2: https://groups.google.com/a/chromium.org/d/msg/blink-dev/lx-U_JR2BF0/Hsg1fiZiBAAJ

BUG=435547,504300, 685084 

Review-Url: https://codereview.chromium.org/2647283007
Cr-Commit-Position: refs/heads/master@{#446038}
(cherry picked from commit 81c970230a492e70e9a580c38e4de8a3f0fcc29b)

Review-Url: https://codereview.chromium.org/2659823004 .
Cr-Commit-Position: refs/branch-heads/2987@{#136}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}

[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/inspector/network/network-xhr-replay-expected.txt
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/multiple-report-policies-expected.txt
[add] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/security/deprecated-subresource-requests-expected.txt
[add] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/security/deprecated-subresource-requests.html
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/security/location-href-clears-username-password-expected.txt
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/failed-auth-expected.txt
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/logout-expected.txt
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/null-auth-expected.txt
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/remember-bad-password-expected.txt
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/workers/referer-expected.txt
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/LayoutTests/security/block-test-expected.txt
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/Source/core/frame/Deprecation.cpp
[modify] https://crrev.com/781c4e2bbdd94ae563f4540136a2384443e5ec5d/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Comment 14 by bugdroid1@chromium.org, Mar 27 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8574b4d96720361e495573ac5868f845017f7aa7

commit 8574b4d96720361e495573ac5868f845017f7aa7
Author: mkwst <mkwst@chromium.org>
Date: Mon Mar 27 10:07:10 2017

Block subresource requests whose URLs include credentials.

Usage of the `http://user:pass@host/` pattern has [declined significantly
in the last few years][1]. We've taken steps in this direction in the past
(see the discussion in  https://crbug.com/174179  and
 https://crbug.com/303046 ). My hope is that usage has decreased in the last
~2 years to the point where it makes sense to try again.

Intent: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/lx-U_JR2BF0

[1]: https://www.chromestatus.com/metrics/feature/timeline/popularity/532

BUG=504300,435547

Review-Url: https://codereview.chromium.org/2651943002
Cr-Commit-Position: refs/heads/master@{#459737}

[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/TestExpectations
[add] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/fetch-event-redirect.https-expected.txt
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/cachestorage/resources/credentials-iframe.html
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/cachestorage/serviceworker/credentials.html
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/thorough/redirect-password.js
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/inspector/network/network-xhr-replay-expected.txt
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/inspector/network/network-xhr-replay.html
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/security/location-href-clears-username-password-expected.txt
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/security/location-href-clears-username-password.html
[add] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/security/resources/post-location-to-opener.html
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-access-control-login.html
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-access-control.php
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/failed-auth-expected.txt
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/failed-auth.html
[delete] https://crrev.com/4a6245e626500c412e86e74e110542d33408e679/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/logout-expected.txt
[delete] https://crrev.com/4a6245e626500c412e86e74e110542d33408e679/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/logout.html
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/null-auth-expected.txt
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/null-auth.php
[delete] https://crrev.com/4a6245e626500c412e86e74e110542d33408e679/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/remember-bad-password-expected.txt
[delete] https://crrev.com/4a6245e626500c412e86e74e110542d33408e679/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/remember-bad-password.html
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/workers/referer-expected.txt
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/workers/resources/referer-test.js
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/8574b4d96720361e495573ac5868f845017f7aa7/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.json5

Comment 15 by bugdroid1@chromium.org, Mar 27 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1ddb4a2eacb8a77affdb05061644ee4f23adbd58

commit 1ddb4a2eacb8a77affdb05061644ee4f23adbd58
Author: mkwst <mkwst@chromium.org>
Date: Mon Mar 27 14:50:10 2017

Enable blocking of subresource requests whose URLs include credentials.

This patch flips the 'BlockCredentialedSubresources' flag to 'stable', and
ties it to a feature flag in //content that we can use as a kill switch if
it turns out that enterprise usage of the feature is higher than we hope
(the overall numbers still look reasonably low[1]).

Intent: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/lx-U_JR2BF0

[1]: https://www.chromestatus.com/metrics/feature/timeline/popularity/532

BUG=504300,435547

Review-Url: https://codereview.chromium.org/2779603002
Cr-Commit-Position: refs/heads/master@{#459781}

[modify] https://crrev.com/1ddb4a2eacb8a77affdb05061644ee4f23adbd58/chrome/browser/ui/login/login_handler_browsertest.cc
[modify] https://crrev.com/1ddb4a2eacb8a77affdb05061644ee4f23adbd58/content/child/runtime_features.cc
[modify] https://crrev.com/1ddb4a2eacb8a77affdb05061644ee4f23adbd58/content/public/common/content_features.cc
[modify] https://crrev.com/1ddb4a2eacb8a77affdb05061644ee4f23adbd58/content/public/common/content_features.h
[modify] https://crrev.com/1ddb4a2eacb8a77affdb05061644ee4f23adbd58/third_party/WebKit/LayoutTests/http/tests/security/deprecated-subresource-requests-expected.txt
[modify] https://crrev.com/1ddb4a2eacb8a77affdb05061644ee4f23adbd58/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt
[modify] https://crrev.com/1ddb4a2eacb8a77affdb05061644ee4f23adbd58/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/failed-auth-expected.txt
[modify] https://crrev.com/1ddb4a2eacb8a77affdb05061644ee4f23adbd58/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/null-auth-expected.txt
[modify] https://crrev.com/1ddb4a2eacb8a77affdb05061644ee4f23adbd58/third_party/WebKit/Source/core/frame/Deprecation.cpp
[modify] https://crrev.com/1ddb4a2eacb8a77affdb05061644ee4f23adbd58/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.json5

Comment 16 by garnswor...@gmail.com, Apr 10 2017

This is still an issue for sites that use digest authentication.  We are not able to use SSL, because our customers don't always have certificates.  We are using a XMLHttpRequest to get the credentials into the browser, which is no longer allowed.

Comment 17 by bugdroid1@chromium.org, Apr 12 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6

commit fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6
Author: mkwst <mkwst@chromium.org>
Date: Wed Apr 12 14:38:23 2017

Carve out an exception for embedded credentials in XHR.

As discussed in  https://crbug.com/707761 , the security justification for
restricting username/password in XHR is weaker than I thought it was.
I'd still _like_ to remove developer-controlled usernames and passwords
from the platform, but I was incorrect to point to them as an actual
vulnerability, given the way basic/digest auth actually works (requiring
CORS-same-originness, and handshaking through a 401 response).

So, this patch limits the previous restrictions against embedded
credentials to non-XHR use cases. That will make SAP happy, and should
resolve the other complaints this change has generated.

BUG= 707761 ,708131,504300

Review-Url: https://codereview.chromium.org/2808753003
Cr-Commit-Position: refs/heads/master@{#464019}

[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/chrome/browser/ui/login/login_handler_browsertest.cc
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/cachestorage/resources/credentials-iframe.html
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/cachestorage/serviceworker/credentials.html
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/inspector/network/network-xhr-replay-expected.txt
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/inspector/network/network-xhr-replay.html
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-access-control-login.html
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/fetch-access-control.php
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/failed-auth-expected.txt
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/failed-auth.html
[add] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/logout-expected.txt
[add] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/logout.html
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/null-auth-expected.txt
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/null-auth.php
[add] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/remember-bad-password-expected.txt
[add] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/remember-bad-password.html
[modify] https://crrev.com/fd04d4a0b5f4a35c4acd66a0b35773deb33e8bb6/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Comment 18 by ad...@alexei-vinogradov.de, Jul 5 2017

>>Sorry, Google-internal link: https://uma.googleplex.com/...
>>>shows that embedded credentials are at 0.00%.

Hey, it is the purpose of the embedded credentials (as any other credentials) to be unknown to the robots of Google and other search engines. Hence it is 0.00%. 

1) People do use it in their bookmarks (unindexed by Google)
2) Many companies using simple basic auth for testing environments accessible from internet. (also unindexed by Google)

-> With blocking of this syntax you lower the attraction of Chrome as a browser of the choice for test automation.

Comment 19 by james.na...@gmail.com, Jul 7 2017

I use basic auth for access to log servers behind a vpn, you broke that.

Comment 20 by mjsbea...@gmail.com, Jul 12 2017

Whilst this may be a very small percentage of all page views, I suspect that any change will have a disproportionate effect on particular classes of users. In particular, I would suspect that this type of link is likely to be rather widely used inside company intranets etc. (Additionally, I am not sure whether such internal links would even be indexed in the data above, depending on how it is collected? But even assuming they are, I think the point applies.)

Comment 21 by palmer@chromium.org, Jul 12 2017

#20: To serve a large, global user base, we have to go by telemetry collected at a similarly large scale.

Comment #13 refers to User Metrics Analysis (UMA) histograms Navigation.FrameHasEmbeddedCredentials and Navigation.MainFrameHasEmbeddedCredentials. The metrics showed that use of such URLs was well below the normal threshold for deprecation.

People can choose whether or not to be represented in our metrics by going to chrome://settings/?search=usage+statistics. The number of people who do opt in is high enough that we have good confidence that our metrics represent the overall population well enough. However, no decision we make, including inaction, would please everyone.

As noted in the original bug report, Internet Explorer stopped supporting such URLs in version 6: https://support.microsoft.com/en-us/help/834489/internet-explorer-does-not-support-user-names-and-passwords-in-web-sit Thus, URLs with embedded credentials have not been part of the mainstream web for a long time.

Comment 22 by ray...@gmail.com, Dec 11 2017

Broke the WebCam viewer in our product.
Maybe allow it for local addresses at least?

And as for the reasoning:
[1] maybe fetch should be fixed
[2] IE-bugs are not something to be emulated.

Comment 23 by elawrence@chromium.org, Dec 11 2017

Re #2: This isn't an IE bug, it's a standards-compliance issue. The relevant RFCs at the time did not allow for storage of credentials in HTTP-scheme URLs.

Comment 24 by czig...@gmail.com, Feb 14

Don't break the internets please. Beg you.

It's not just webcams: hundreds of thousands of projects use something called Selenium/WebDriver to test web applications in the browser. Basic authentication is needed eyeballwise 50% of the time.
WebDriver lacks an API for the basic authentication, so embedding the username:password@url is the only way this really works.

Your statistics are misleading you, I think these uses do not appear in your numbers.

Sign in to add a comment