Don't use IDENT_SRC_URL for HttpAuth challenges. IE hasn't supported it for years, and at worst ...

net/http/http_auth_controller.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_controller.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/metrics/histogram.h"
 #include "base/string_util.h"
@@ skipping 229 matching lines @@
   // the auth scheme and want to retry.
   if (!auth_token_.empty()) {
     authorization_headers->SetHeader(
         HttpAuth::GetAuthorizationHeaderName(target_), auth_token_);
     auth_token_.clear();
   }
 }
 
 int HttpAuthController::HandleAuthChallenge(
     scoped_refptr<HttpResponseHeaders> headers,
-    bool do_not_send_server_auth,
-    bool establishing_tunnel,
+    int challenge_option_mask,
     const BoundNetLog& net_log) {
   DCHECK(CalledOnValidThread());
   DCHECK(headers);
   DCHECK(auth_origin_.is_valid());
   VLOG(1) << "The " << HttpAuth::GetAuthTargetString(target_) << " "
           << auth_origin_ << " requested auth "
           << AuthChallengeLogMessage(headers.get());
 
   // Give the existing auth handler first try at the authentication headers.
   // This will also evict the entry in the HttpAuthCache if the previous
@@ skipping 38 matching lines @@
             INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
         break;
       default:
         NOTREACHED();
         break;
     }
   }
 
   identity_.invalid = true;
 
-  bool can_send_auth = (target_ != HttpAuth::AUTH_SERVER ||
-                        !do_not_send_server_auth);
+  bool can_send_auth =
+      (target_ != HttpAuth::AUTH_SERVER ||
+       (challenge_option_mask & CHALLENGE_OPTION_SEND_SERVER_AUTH));
 
   do {
     if (!handler_.get() && can_send_auth) {
       // Find the best authentication challenge that we support.
       HttpAuth::ChooseBestChallenge(http_auth_handler_factory_,
                                     headers, target_, auth_origin_,
                                     disabled_schemes_, net_log,
                                     &handler_);
       if (handler_.get())
         HistogramAuthEvent(handler_.get(), AUTH_EVENT_START);
     }
 
     if (!handler_.get()) {
-      if (establishing_tunnel) {
+      if (challenge_option_mask & CHALLENGE_OPTION_ESTABLISHING_TUNNEL) {
         LOG(ERROR) << "Can't perform auth to the "
                    << HttpAuth::GetAuthTargetString(target_) << " "
                    << auth_origin_ << " when establishing a tunnel"
                    << AuthChallengeLogMessage(headers.get());
 
         // We are establishing a tunnel, we can't show the error page because an
         // active network attacker could control its contents.  Instead, we just
         // fail to establish the tunnel.
         DCHECK(target_ == HttpAuth::AUTH_PROXY);
         return ERR_PROXY_AUTH_UNSUPPORTED;
       }
       // We found no supported challenge -- let the transaction continue so we
       // end up displaying the error page.
       return OK;
     }
 
     if (handler_->NeedsIdentity()) {
       // Pick a new auth identity to try, by looking to the URL and auth cache.
       // If an identity to try is found, it is saved to identity_.
-      SelectNextAuthIdentityToTry();
+      SelectNextAuthIdentityToTry(challenge_option_mask);
     } else {
       // Proceed with the existing identity or a null identity.
       identity_.invalid = false;
     }
 
     // From this point on, we are restartable.
 
     if (identity_.invalid) {
       // We have exhausted all identity possibilities.
       if (!handler_->AllowsExplicitCredentials()) {
@@ skipping 82 matching lines @@
   DCHECK(CalledOnValidThread());
   DCHECK(HaveAuth());
 
   // Clear the cache entry for the identity we just failed on.
   // Note: we require the credentials to match before invalidating
   // since the entry in the cache may be newer than what we used last time.
   http_auth_cache_->Remove(auth_origin_, handler_->realm(),
                            handler_->auth_scheme(), identity_.credentials);
 }
 
-bool HttpAuthController::SelectNextAuthIdentityToTry() {
+bool HttpAuthController::SelectNextAuthIdentityToTry(
+    int challenge_option_mask) {
   DCHECK(CalledOnValidThread());
   DCHECK(handler_.get());
   DCHECK(identity_.invalid);
 
   // Try to use the username:password encoded into the URL first.
   if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() &&
+      (challenge_option_mask & CHALLENGE_OPTION_USE_EMBEDDED_AUTH) &&
       !embedded_identity_used_) {
     identity_.source = HttpAuth::IDENT_SRC_URL;
     identity_.invalid = false;
     // Extract the username:password from the URL.
     string16 username;
     string16 password;
     GetIdentityFromURL(auth_url_, &username, &password);
     identity_.credentials.Set(username, password);
     embedded_identity_used_ = true;
     // TODO(eroman): If the password is blank, should we also try combining
@@ skipping 92 matching lines @@
   DCHECK(CalledOnValidThread());
   return disabled_schemes_.find(scheme) != disabled_schemes_.end();
 }
 
 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) {
   DCHECK(CalledOnValidThread());
   disabled_schemes_.insert(scheme);
 }
 
 }  // namespace net