New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 738408 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 731618
Owner:
Buried. Ping if important.
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

credentials used in a website's URL mean subrequests to relative URLs are "blocked:origin"

Reported by dannysm...@silktide.com, Jun 30 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Example URL:
https://blah:blah@www.google.co.uk

Steps to reproduce the problem:
1. Load google's homepage in the browser
2. Copy the URL, after it has redirected you
3. modify the URL to add the credentials "blah:blah" - e.g. https://blah:blah@www.google.co.uk
4. Go to the modified URL and note the blocked subrequests

What is the expected behavior?
Subrequests should not inherit credentials from the page's URL and should load normally

What went wrong?
Subrequests are inheriting credentials form the page's URL and subsequently being blocked, as per https://www.chromestatus.com/feature/5669008342777856

Does it occur on multiple sites: Yes

Is it a problem with a plugin? No 

Did this work before? Yes Not sure, I first noticed this on 2017 / 06 / 28

Does this work in other browsers? Yes

Chrome version: 59.0.3071.115  Channel: stable
OS Version: 10.0
Flash Version: 

This issue happens on any website where relative subrequest URLs are used. 
The site under test doesn't need to accept or require the credentials, they just need to be present in the main page URL.
 
subrequest bug.png
59.7 KB View Download

Comment 1 by kochi@chromium.org, Jul 3 2017

Components: -Blink Internals>Network>Auth Blink>SecurityFeature>CredentialManagement
Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)
Is this enabled in released Chrome?  Or is it issue 435547?

Comment 2 by kochi@chromium.org, Jul 3 2017

Cc: kochi@chromium.org
mkwst@, could you take a look?

Comment 3 by mkwst@chromium.org, Jul 3 2017

Mergedinto: 731618
Status: Duplicate (was: Assigned)
This should be fixed in dev channel, and I'm asking permission to merge it back to beta. Duping against that bug.

Sign in to add a comment