Carve out an exception for embedded credentials in XHR.
As discussed in https://crbug.com/707761, the security justification for
restricting username/password in XHR is weaker than I thought it was.
I'd still _like_ to remove developer-controlled usernames and passwords
from the platform, but I was incorrect to point to them as an actual
vulnerability, given the way basic/digest auth actually works (requiring
CORS-same-originness, and handshaking through a 401 response).
So, this patch limits the previous restrictions against embedded
credentials to non-XHR use cases. That will make SAP happy, and should
resolve the other complaints this change has generated.
BUG=707761,708131,504300
Review-Url: https://codereview.chromium.org/2808753003
Cr-Commit-Position: refs/heads/master@{#464019}
18 files changed
