Block subresource requests whose URLs include credentials. #465
+6
−0
Commits on Jan 24, 2017
-
Block subresource requests whose URLs include credentials.
Hard-coding credentials into subresource requests (e.g. `https://user:pass@host/`) is problematic from a security perspective, as it's allowed folks to brute-force credentials in the past, enables session fixation attacks for sites using basic auth, and can allow attackers access to well-known, poorly-coded devices (such as users' routers). Moreover, the ability to hard-code credentials leads to inadvertant leakage via XSS on the one hand, and poor development practice on the other. Sifting through HTTPArchive, for example, yields a number of credentials for test servers and other internal architecture. Usage of the `http://user:pass@host/` pattern has [declined significantly in the last few years][1]; given that low usage, closing this small security hole seems quite reasonable. [1]: https://www.chromestatus.com/metrics/feature/timeline/popularity/532 [2]: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/lx-U_JR2BF0
Commits on Feb 8, 2017
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.