User/password are always safe as they require a preflight request for…

… the Authorization header

Fixes https://www.w3.org/Bugs/Public/show_bug.cgi?id=17242#c13 (and
therefore the entire bug)

This also cleans up the way the user/password arguments are defined a
lot and gives them default values.

Overview.html

@@ -297,7 +297,7 @@ <h2 id="interface-xmlhttprequest"><span class="secno">4 </span>Interface <code t
   readonly attribute unsigned short <a href="#dom-xmlhttprequest-readystate" title="dom-XMLHttpRequest-readyState">readyState</a>;
 
   // <a href="#request">request</a>
-  void <a href="#dom-xmlhttprequest-open" title="dom-XMLHttpRequest-open">open</a>(ByteString <var>method</var>, DOMString <var title="">url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var>, optional DOMString? <var>password</var>);
+  void <a href="#dom-xmlhttprequest-open" title="dom-XMLHttpRequest-open">open</a>(ByteString <var>method</var>, DOMString <var title="">url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var> = null, optional DOMString? <var>password</var> = null);
   void <a href="#dom-xmlhttprequest-setrequestheader" title="dom-XMLHttpRequest-setRequestHeader">setRequestHeader</a>(ByteString <var>header</var>, ByteString <var>value</var>);
            attribute unsigned long <a href="#dom-xmlhttprequest-timeout" title="dom-XMLHttpRequest-timeout">timeout</a>;
            attribute boolean <a href="#dom-xmlhttprequest-withcredentials" title="dom-XMLHttpRequest-withCredentials">withCredentials</a>;
@@ -623,23 +623,14 @@ <h4 id="the-open()-method"><span class="secno">4.7.1 </span>The <code title="">o
     <code>CONNECT</code>, <code>TRACE</code> or <code>TRACK</code>.</p>
 
     <p>Throws an "<code class="external"><a href="http://dom.spec.whatwg.org/#invalidaccesserror">InvalidAccessError</a></code>"
-    exception if one of the following is true:</p>
-
-    <ul>
-     <li>Either <var title="">user</var> or <var title="">password</var> is passed
-     as argument and the <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of
-     <var title="">url</var> does not match the
-     <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>.
-     <li>There is an associated
-     <a href="#xmlhttprequest-document"><code>XMLHttpRequest</code> document</a> and either the
-     <code title="dom-XMLHttpRequest-timeout"><a href="#dom-xmlhttprequest-timeout">timeout</a></code> attribute is not
-     zero, the
-     <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
-     attribute is true, or the
-     <code title="dom-XMLHttpRequest-responseType"><a href="#dom-xmlhttprequest-responsetype">responseType</a></code>
-     attribute is not the empty string.
-    </ul>
-   </dd>
+    exception if there is an associated
+    <a href="#xmlhttprequest-document"><code>XMLHttpRequest</code> document</a> and either the
+    <code title="dom-XMLHttpRequest-timeout"><a href="#dom-xmlhttprequest-timeout">timeout</a></code> attribute is not
+    zero, the
+    <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
+    attribute is true, or the
+    <code title="dom-XMLHttpRequest-responseType"><a href="#dom-xmlhttprequest-responsetype">responseType</a></code>
+    attribute is not the empty string.
   </dl>
 
   <p>The
@@ -753,45 +744,11 @@ <h4 id="the-open()-method"><span class="secno">4.7.1 </span>The <code title="">o
    "<code class="external"><a href="http://dom.spec.whatwg.org/#invalidaccesserror">InvalidAccessError</a></code>" exception and
    terminate these steps.
 
-   <li>
-    <p>If the <var title="">user</var> argument was not omitted follow these
-    substeps:
-
-    <ol>
-     <li><p>If <var title="">user</var> is not null and the
-     <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of <var title="">url</var> is not
-     <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#same-origin">same origin</a> with the
-     <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>,
-     <a class="external" href="http://dom.spec.whatwg.org/#concept-throw" title="concept-throw">throw</a> an
-     "<code class="external"><a href="http://dom.spec.whatwg.org/#invalidaccesserror">InvalidAccessError</a></code>" exception and
-     terminate the overall set of steps.
+   <li><p>If the <var title="">user</var> argument is not null, set
+   <var>temp user</var> to <var>user</var>.
 
-     <li><p>Let <var>temp user</var> be <var>user</var>.</li>
-    </ol>
-
-    <p class="note">These steps override anything that may have been set by
-    the <var title="">url</var> argument.</p>
-   </li>
-
-   <li>
-    <p>If the <var title="">password</var> argument was not omitted follow
-    these substeps:
-
-    <ol>
-     <li><p>If <var title="">password</var> is not null and the
-     <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> of <var title="">url</var> is not
-     <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#same-origin">same origin</a> with the
-     <a href="#xmlhttprequest-origin"><code>XMLHttpRequest</code> origin</a>,
-     <a class="external" href="http://dom.spec.whatwg.org/#concept-throw" title="concept-throw">throw</a> an
-     "<code class="external"><a href="http://dom.spec.whatwg.org/#invalidaccesserror">InvalidAccessError</a></code>" exception and
-     terminate the overall set of steps.</li>
-
-     <li><p>Let <var>temp password</var> be <var>password</var>.</li>
-    </ol>
-
-    <p class="note">These steps override anything that may have been set by
-    the <var title="">url</var> argument.</p>
-   </li>
+   <li><p>If the <var title="">password</var> argument is not null, set
+   <var>temp password</var> to <var>password</var>.
 
    <li><p><a href="#terminate-abort()" title="terminate abort()">Terminate the <code>abort()</code> algorithm</a>.</li>
 
@@ -1398,15 +1355,6 @@ <h4 id="the-send()-method"><span class="secno">4.7.6 </span>The <code title="">s
        <dd>Set if the <a href="#upload-events-flag">upload events flag</a> is set.
       </dl>
 
-      <p class="note"><a href="#request-username">Request username</a> and
-      <a href="#request-password">request password</a> are always ignored as part of a
-      <a class="external" href="http://fetch.spec.whatwg.org/#cross-origin-request">cross-origin request</a>; including
-      them would allow a site to perform a distributed password search.
-      However, user agents will include <a href="#user-credentials">user credentials</a> in the
-      request (if the user has any and if
-      <code title="dom-XMLHttpRequest-withCredentials"><a href="#dom-xmlhttprequest-withcredentials">withCredentials</a></code>
-      is true).</p>
-
       <dl class="switch">
        <dt>If the <a href="#synchronous-flag">synchronous flag</a> is set</dt>
        <dd>

Overview.src.html

@@ -245,7 +245,7 @@ <h2>Interface <code title>XMLHttpRequest</code></h2>
   readonly attribute unsigned short <span title="dom-XMLHttpRequest-readyState">readyState</span>;
 
   // <a href="#request">request</a>
-  void <span title="dom-XMLHttpRequest-open">open</span>(ByteString <var>method</var>, DOMString <var title>url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var>, optional DOMString? <var>password</var>);
+  void <span title="dom-XMLHttpRequest-open">open</span>(ByteString <var>method</var>, DOMString <var title>url</var>, optional boolean <var>async</var> = true, optional DOMString? <var>user</var> = null, optional DOMString? <var>password</var> = null);
   void <span title="dom-XMLHttpRequest-setRequestHeader">setRequestHeader</span>(ByteString <var>header</var>, ByteString <var>value</var>);
            attribute unsigned long <span title="dom-XMLHttpRequest-timeout">timeout</span>;
            attribute boolean <span title="dom-XMLHttpRequest-withCredentials">withCredentials</span>;
@@ -571,23 +571,14 @@ <h4>The <code title>open()</code> method</h4>
     <code>CONNECT</code>, <code>TRACE</code> or <code>TRACK</code>.</p>
 
     <p>Throws an "<code data-anolis-spec=dom>InvalidAccessError</code>"
-    exception if one of the following is true:</p>
-
-    <ul>
-     <li>Either <var title>user</var> or <var title>password</var> is passed
-     as argument and the <span data-anolis-spec=html>origin</span> of
-     <var title>url</var> does not match the
-     <span><code>XMLHttpRequest</code> origin</span>.
-     <li>There is an associated
-     <span><code>XMLHttpRequest</code> document</span> and either the
-     <code title=dom-XMLHttpRequest-timeout>timeout</code> attribute is not
-     zero, the
-     <code title=dom-XMLHttpRequest-withCredentials>withCredentials</code>
-     attribute is true, or the
-     <code title=dom-XMLHttpRequest-responseType>responseType</code>
-     attribute is not the empty string.
-    </ul>
-   </dd>
+    exception if there is an associated
+    <span><code>XMLHttpRequest</code> document</span> and either the
+    <code title=dom-XMLHttpRequest-timeout>timeout</code> attribute is not
+    zero, the
+    <code title=dom-XMLHttpRequest-withCredentials>withCredentials</code>
+    attribute is true, or the
+    <code title=dom-XMLHttpRequest-responseType>responseType</code>
+    attribute is not the empty string.
   </dl>
 
   <p>The
@@ -701,45 +692,11 @@ <h4>The <code title>open()</code> method</h4>
    "<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
    terminate these steps.
 
-   <li>
-    <p>If the <var title>user</var> argument was not omitted follow these
-    substeps:
-
-    <ol>
-     <li><p>If <var title>user</var> is not null and the
-     <span data-anolis-spec=html>origin</span> of <var title>url</var> is not
-     <span data-anolis-spec=html>same origin</span> with the
-     <span><code>XMLHttpRequest</code> origin</span>,
-     <span data-anolis-spec=dom title=concept-throw>throw</span> an
-     "<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
-     terminate the overall set of steps.
+   <li><p>If the <var title>user</var> argument is not null, set
+   <var>temp user</var> to <var>user</var>.
 
-     <li><p>Let <var>temp user</var> be <var>user</var>.</p></li>
-    </ol>
-
-    <p class=note>These steps override anything that may have been set by
-    the <var title>url</var> argument.</p>
-   </li>
-
-   <li>
-    <p>If the <var title>password</var> argument was not omitted follow
-    these substeps:
-
-    <ol>
-     <li><p>If <var title>password</var> is not null and the
-     <span data-anolis-spec=html>origin</span> of <var title>url</var> is not
-     <span data-anolis-spec=html>same origin</span> with the
-     <span><code>XMLHttpRequest</code> origin</span>,
-     <span data-anolis-spec=dom title=concept-throw>throw</span> an
-     "<code data-anolis-spec=dom>InvalidAccessError</code>" exception and
-     terminate the overall set of steps.</p></li>
-
-     <li><p>Let <var>temp password</var> be <var>password</var>.</p></li>
-    </ol>
-
-    <p class=note>These steps override anything that may have been set by
-    the <var title>url</var> argument.</p>
-   </li>
+   <li><p>If the <var title>password</var> argument is not null, set
+   <var>temp password</var> to <var>password</var>.
 
    <li><p><span title="terminate abort()">Terminate the <code>abort()</code> algorithm</span>.</p></li>
 
@@ -1346,15 +1303,6 @@ <h4>The <code title>send()</code> method</h4>
        <dd>Set if the <span>upload events flag</span> is set.
       </dl>
 
-      <p class=note><span>Request username</span> and
-      <span>request password</span> are always ignored as part of a
-      <span data-anolis-spec=cors>cross-origin request</span>; including
-      them would allow a site to perform a distributed password search.
-      However, user agents will include <span>user credentials</span> in the
-      request (if the user has any and if
-      <code title="dom-XMLHttpRequest-withCredentials">withCredentials</code>
-      is true).</p>
-
       <dl class=switch>
        <dt>If the <span>synchronous flag</span> is set</dt>
        <dd>