[whatwg/fetch] Chromium's implementation of use-URL-credentials probably does not match the spec (Issue #1496) from Domenic Denicola on 2022-09-30 (public-webapps-github@w3.org from September 2022)

From: Domenic Denicola <notifications@github.com>
Date: Fri, 30 Sep 2022 01:40:45 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1496@github.com>

Spinning off from https://github.com/whatwg/fetch/pull/465#issuecomment-1263103213 .

We suspect that Chromium implements this flag by stripping the username and password from the URL before doing the fetch, which will cause the server worker, or any redirect destinations, to observe the modified URL. Whereas in the Fetch spec, there's a separate boolean which causes the URL credentials to be not-used.

This might be just a Chromium bug, but it's worth checking at least WebKit given the shared lineage. It's possible we might want to update the spec to match Chromium's behavior instead, as arguably reducing the number of URLs with usernames/passwords in them throughout the ecosystem is nice.

First step is to write some proper web platform tests, I guess.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1496
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1496@github.com>

Received on Friday, 30 September 2022 08:40:58 UTC