From 5faf329c9ed30bc1c3447252cb32cd081980ca43 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Tue, 24 Jan 2017 13:05:49 +0100
Subject: [PATCH 1/2] Block subresource requests whose URLs include
 credentials.

Hard-coding credentials into subresource requests (e.g.
`https://user:pass@host/`) is problematic from a security perspective,
as it's allowed folks to brute-force credentials in the past, enables
session fixation attacks for sites using basic auth, and can allow
attackers access to well-known, poorly-coded devices (such as users'
routers). Moreover, the ability to hard-code credentials leads to
inadvertant leakage via XSS on the one hand, and poor development
practice on the other. Sifting through HTTPArchive, for example, yields
a number of credentials for test servers and other internal
architecture.

Usage of the `http://user:pass@host/` pattern has [declined significantly
in the last few years][1]; given that low usage, closing this small
security hole seems quite reasonable.

[1]: https://www.chromestatus.com/metrics/feature/timeline/popularity/532
[2]: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/lx-U_JR2BF0
---
 fetch.bs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fetch.bs b/fetch.bs
index 81611d005..eaf725775 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -2406,6 +2406,11 @@ with a <i>CORS flag</i> and <i>recursive flag</i>, run these steps:
   <a for=request>referrer</a> to "<code>no-referrer</code>" or
   have it expose less sensitive information.
 
+ <li>
+  <p>If <var>request</var>'s <a for=request>current URL</a> <a for=URL>includes credentials</a>,
+  and <var>request</var> <span class=XXX>is not a <a>navigation request</a> that targets a
+  top-level browsing context</span>, set <var>response</var> to a <a>network error</a>.
+
  <li>
   <p>Set <var>request</var>'s <a for=request>current url</a>'s
   <a for=url>scheme</a> to "<code>https</code>" if

From e28f7972aa59a1c88183edcd28b0aa3424a94be1 Mon Sep 17 00:00:00 2001
From: Mike West <mike@mikewest.org>
Date: Wed, 8 Feb 2017 10:32:37 +0100
Subject: [PATCH 2/2] fixup Subresource.

---
 fetch.bs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index eaf725775..16824d762 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -2408,8 +2408,9 @@ with a <i>CORS flag</i> and <i>recursive flag</i>, run these steps:
 
  <li>
   <p>If <var>request</var>'s <a for=request>current URL</a> <a for=URL>includes credentials</a>,
-  and <var>request</var> <span class=XXX>is not a <a>navigation request</a> that targets a
-  top-level browsing context</span>, set <var>response</var> to a <a>network error</a>.
+  and <var>request</var>'s <a for=request>reserved client</a> is either <code>null</code>
+  or an <a>environment</a> whose <a for=environment>target browsing context</a> is a
+  <a>nested browsing context</a>, set <var>response</var> to a <a>network error</a>.
 
  <li>
   <p>Set <var>request</var>'s <a for=request>current url</a>'s