Block subresource requests whose URLs include credentials.

Usage of the `http://user:pass@host/` pattern has [declined significantly
in the last few years][1]. We've taken steps in this direction in the past
(see the discussion in https://crbug.com/174179 and
https://crbug.com/303046). My hope is that usage has decreased in the last
~2 years to the point where it makes sense to try again.

Intent: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/lx-U_JR2BF0

[1]: https://www.chromestatus.com/metrics/feature/timeline/popularity/532

BUG=504300,435547

Review-Url: https://codereview.chromium.org/2651943002
Cr-Commit-Position: refs/heads/master@{#459737}
25 files changed