Mike West
Mike West
Kicking off another discussion, @annevk. Same issue as https://github.com/whatwg/fetch/pull/464 regarding top-level vs non. I've called that out with an XXX span; we'll remove that if/when we decide that this kind...
I haven't verified this in Edge, but I'm told that MS hasn't supported this for years: https://support.microsoft.com/en-us/help/834489/internet-explorer-does-not-support-user-names-and-passwords-in-web-site-addresses-http-or-https-urls
It's a bit complicated, so I might be misreading, but I don't think the suggested change breaks that bit of the algorithm. By putting the check at the top of...
I'd suggest blocking those as well; they're included in the Chrome metric noted above, and they have similar properties from a security perspective. Basically, I think basic/digest auth is ~fine...
FYI: I'm pretty sure Edge (and IE) already implement this. See https://groups.google.com/a/chromium.org/d/msg/blink-dev/lx-U_JR2BF0/dxXzIYjwBwAJ and https://support.microsoft.com/en-us/help/834489/internet-explorer-does-not-support-user-names-and-passwords-in-web-site-addresses-http-or-https-urls. @travisleithead can, I'm sure, confirm that.
> IE/Edge restricts it to HTTP(S) URLs, which is a little different, though I suspect in practice that only affects FTP Indeed. Also, let's kill FTP (in #464). :)
This one I can certainly write tests for, so let's let me do that before we land the spec patch. I plan to land this change in Chrome after the...
This seems like a reasonable thing to explore. I can add some metrics to Chrome. @zackw: Would you mind filing a bug at https://crbug.com/ so I remember to follow up...
Yes, sorry. I mean that we'd conceptually split things out into "ports we can block completely", and "ports we can block for subresource requests". The latter would indeed be a...
See also https://bugs.chromium.org/p/chromium/issues/detail?id=959789.