UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Example URL:
https://blah:blah@www.google.co.uk

Steps to reproduce the problem:
1. Load google's homepage in the browser
2. Copy the URL, after it has redirected you
3. modify the URL to add the credentials "blah:blah" - e.g. https://blah:blah@www.google.co.uk
4. Go to the modified URL and note the blocked subrequests

What is the expected behavior?
Subrequests should not inherit credentials from the page's URL and should load normally

What went wrong?
Subrequests are inheriting credentials form the page's URL and subsequently being blocked, as per https://www.chromestatus.com/feature/5669008342777856

Does it occur on multiple sites: Yes

Is it a problem with a plugin? No 

Did this work before? Yes Not sure, I first noticed this on 2017 / 06 / 28

Does this work in other browsers? Yes

Chrome version: 59.0.3071.115  Channel: stable
OS Version: 10.0
Flash Version: 

This issue happens on any website where relative subrequest URLs are used. 
The site under test doesn't need to accept or require the credentials, they just need to be present in the main page URL.
 

Deleted: subrequest bug.png 59.7 KB

	subrequest bug.png 59.7 KB View Download