Resource Timing "name" capturing basic auth credentials for XHR requests.

For a quick example go to https://httpbin.org/ and try this out in the
console:

```
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://foo:bar@httpbin.org/basic-auth/foo/bar');
xhr.send();
setTimeout(function () { alert('Your password is: ' +

performance.getEntriesByType('resource').pop().name.split('@')[0].split(':').pop()
)}, 500);
```

Using basic auth may not be a great idea, but people still do,
inadvertently exposing passwords to other javascript on their pages.

Received on Monday, 26 January 2015 13:23:55 UTC