Enable blocking of subresource requests whose URLs include credentials.

chrome/browser/ui/login/login_handler_browsertest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <algorithm>
 #include <list>
 #include <map>
 
 #include "base/metrics/field_trial.h"
 #include "base/strings/utf_string_conversions.h"
@@ skipping 965 matching lines @@
   }
 
   EXPECT_EQ(1, observer.auth_needed_count());
   EXPECT_EQ(1, observer.auth_supplied_count());
   EXPECT_EQ(0, observer.auth_cancelled_count());
   EXPECT_EQ(1, observer_incognito.auth_needed_count());
   EXPECT_EQ(0, observer_incognito.auth_supplied_count());
   EXPECT_EQ(0, observer_incognito.auth_cancelled_count());
 }
 
-// If an XMLHttpRequest is made with incorrect credentials, there should be no
-// login prompt; instead the 401 status should be returned to the script.
-IN_PROC_BROWSER_TEST_F(LoginPromptBrowserTest,
-                       NoLoginPromptForXHRWithBadCredentials) {
-  const char kXHRTestPage[] = "/login/xhr_with_credentials.html#incorrect";

[Mike West, 2017/03/27 11:58:50]

Dropping both of these tests, as they rely on XHR sending embedded credentials,
which it's no longer capable of doing.

-
-  ASSERT_TRUE(embedded_test_server()->Start());
-
-  content::WebContents* contents =
-      browser()->tab_strip_model()->GetActiveWebContents();
-  NavigationController* controller = &contents->GetController();
-  LoginPromptBrowserTestObserver observer;
-
-  observer.Register(content::Source<NavigationController>(controller));
-
-  // Load a page which makes a synchronous XMLHttpRequest for an authenticated
-  // resource with the wrong credentials.  There should be no login prompt.
-  {
-    GURL test_page = embedded_test_server()->GetURL(kXHRTestPage);
-    WindowedLoadStopObserver load_stop_waiter(controller, 1);
-    browser()->OpenURL(OpenURLParams(test_page, Referrer(),
-                                     WindowOpenDisposition::CURRENT_TAB,
-                                     ui::PAGE_TRANSITION_TYPED, false));
-    load_stop_waiter.Wait();
-  }
-
-  base::string16 expected_title(base::UTF8ToUTF16("status=401"));
-
-  EXPECT_EQ(expected_title, contents->GetTitle());
-  EXPECT_EQ(0, observer.auth_supplied_count());
-  EXPECT_EQ(0, observer.auth_needed_count());
-  EXPECT_EQ(0, observer.auth_cancelled_count());
-}
-
-// If an XMLHttpRequest is made with correct credentials, there should be no
-// login prompt either.
-IN_PROC_BROWSER_TEST_F(LoginPromptBrowserTest,
-                       NoLoginPromptForXHRWithGoodCredentials) {
-  const char kXHRTestPage[] = "/login/xhr_with_credentials.html#secret";
-
-  ASSERT_TRUE(embedded_test_server()->Start());
-
-  content::WebContents* contents =
-      browser()->tab_strip_model()->GetActiveWebContents();
-  NavigationController* controller = &contents->GetController();
-  LoginPromptBrowserTestObserver observer;
-
-  observer.Register(content::Source<NavigationController>(controller));
-
-  // Load a page which makes a synchronous XMLHttpRequest for an authenticated
-  // resource with the wrong credentials.  There should be no login prompt.
-  {
-    GURL test_page = embedded_test_server()->GetURL(kXHRTestPage);
-    WindowedLoadStopObserver load_stop_waiter(controller, 1);
-    browser()->OpenURL(OpenURLParams(test_page, Referrer(),
-                                     WindowOpenDisposition::CURRENT_TAB,
-                                     ui::PAGE_TRANSITION_TYPED, false));
-    load_stop_waiter.Wait();
-  }
-
-  base::string16 expected_title(base::UTF8ToUTF16("status=200"));
-
-  EXPECT_EQ(expected_title, contents->GetTitle());
-  EXPECT_EQ(0, observer.auth_supplied_count());
-  EXPECT_EQ(0, observer.auth_needed_count());
-  EXPECT_EQ(0, observer.auth_cancelled_count());
-}
-
 // If an XMLHttpRequest is made without credentials, there should be a login
 // prompt.
 IN_PROC_BROWSER_TEST_F(LoginPromptBrowserTest,
                        LoginPromptForXHRWithoutCredentials) {
   const char kXHRTestPage[] = "/login/xhr_without_credentials.html";
 
   ASSERT_TRUE(embedded_test_server()->Start());
 
   content::WebContents* contents =
       browser()->tab_strip_model()->GetActiveWebContents();
   NavigationController* controller = &contents->GetController();
   LoginPromptBrowserTestObserver observer;
 
   observer.Register(content::Source<NavigationController>(controller));
 
   // Load a page which makes a synchronous XMLHttpRequest for an authenticated
-  // resource with the wrong credentials.  There should be no login prompt.
+  // resource without credentials. There should be a login prompt.
   {
     GURL test_page = embedded_test_server()->GetURL(kXHRTestPage);
     WindowedAuthNeededObserver auth_needed_waiter(controller);
     browser()->OpenURL(OpenURLParams(test_page, Referrer(),
                                      WindowOpenDisposition::CURRENT_TAB,
                                      ui::PAGE_TRANSITION_TYPED, false));
     auth_needed_waiter.Wait();
   }
 
   ASSERT_FALSE(observer.handlers().empty());
@@ skipping 416 matching lines @@
   // out.
   EXPECT_TRUE(
       WaitForRenderFrameReady(contents->GetInterstitialPage()->GetMainFrame()));
   EXPECT_TRUE(contents->ShowingInterstitialPage());
   EXPECT_EQ(SSLBlockingPage::kTypeForTesting, contents->GetInterstitialPage()
                                                   ->GetDelegateForTesting()
                                                   ->GetTypeForTesting());
 }
 
 }  // namespace