Re-enable embedded identities in URLs for HTTP authentication.

net/http/http_auth_controller.cc

Index: net/http/http_auth_controller.cc
diff --git a/net/http/http_auth_controller.cc b/net/http/http_auth_controller.cc
index 34c246970fd6e897ca7d00b9a96f4733cc62341b..1ab12adda7655dfc241fec54db51db9f0565f1dc 100644
--- a/net/http/http_auth_controller.cc
+++ b/net/http/http_auth_controller.cc
@@ -450,17 +450,21 @@ bool HttpAuthController::SelectNextAuthIdentityToTry() {
   DCHECK(handler_.get());
   DCHECK(identity_.invalid);
 
-  // Do not try to use the username:password encoded into the URL.  At worst,
-  // this represents a session fixation attack against basic auth, and as it
-  // turns out, IE hasn't supported this for years. If a caller really wants
-  // to use embedded identities, the can add an URLRequest::Delegate that
-  // inspects the URL and supplies the username/password at OnAuthRequired()
-  // time. Past data shows this is used extremely infrequently in web pages,
-  // but continue to collect this data.
+  // Try to use the username:password encoded into the URL first.
   if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() &&
       !embedded_identity_used_) {
+    identity_.source = HttpAuth::IDENT_SRC_URL;
+    identity_.invalid = false;
+    // Extract the username:password from the URL.
+    string16 username;
+    string16 password;
+    GetIdentityFromURL(auth_url_, &username, &password);
+    identity_.credentials.Set(username, password);
     embedded_identity_used_ = true;
+    // TODO(eroman): If the password is blank, should we also try combining
+    // with a password from the cache?
     UMA_HISTOGRAM_BOOLEAN("net.HttpIdentSrcURL", true);
+    return true;
   }
 
   // Check the auth cache for a realm entry.