Chromium's implementation of use-URL-credentials probably does not match the spec

[domenic]

Spinning off from #465 (comment) .

We suspect that Chromium implements this flag by stripping the username and password from the URL before doing the fetch, which will cause the server worker, or any redirect destinations, to observe the modified URL. Whereas in the Fetch spec, there's a separate boolean which causes the URL credentials to be not-used.

This might be just a Chromium bug, but it's worth checking at least WebKit given the shared lineage. It's possible we might want to update the spec to match Chromium's behavior instead, as arguably reducing the number of URLs with usernames/passwords in them throughout the ecosystem is nice.

First step is to write some proper web platform tests, I guess.

[domenic]

Stripping the username and password also doesn't match the algorithm in HTTP-network-or-cache fetch, which roughly uses the flag only when both URL credentials and authentication side table credentials are present. In other words, if only URL credentials are present, the spec still uses them, whereas Chromium does not (since they are stripped from the URL). See #1498 (comment) for a more detailed analysis.

So yeah, tests needed in general...