Chromium's implementation of use-URL-credentials probably does not match the spec #1496
Labels
interop
Implementations are not interoperable with each other
needs tests
Moving the issue forward requires someone to write tests
Spinning off from #465 (comment) .
We suspect that Chromium implements this flag by stripping the username and password from the URL before doing the fetch, which will cause the server worker, or any redirect destinations, to observe the modified URL. Whereas in the Fetch spec, there's a separate boolean which causes the URL credentials to be not-used.
This might be just a Chromium bug, but it's worth checking at least WebKit given the shared lineage. It's possible we might want to update the spec to match Chromium's behavior instead, as arguably reducing the number of URLs with usernames/passwords in them throughout the ecosystem is nice.
First step is to write some proper web platform tests, I guess.
The text was updated successfully, but these errors were encountered: