Revert 138890 - Merge 138264 - Re-enable embedded identities in URLs for HTTP authentication.

net/http/http_auth_controller.cc

Index: net/http/http_auth_controller.cc
===================================================================
--- net/http/http_auth_controller.cc	(revision 138902)
+++ net/http/http_auth_controller.cc	(working copy)
@@ -450,21 +450,17 @@
   DCHECK(handler_.get());
   DCHECK(identity_.invalid);
 
-  // Try to use the username:password encoded into the URL first.
+  // Do not try to use the username:password encoded into the URL.  At worst,
+  // this represents a session fixation attack against basic auth, and as it
+  // turns out, IE hasn't supported this for years. If a caller really wants
+  // to use embedded identities, the can add an URLRequest::Delegate that
+  // inspects the URL and supplies the username/password at OnAuthRequired()
+  // time. Past data shows this is used extremely infrequently in web pages,
+  // but continue to collect this data.
   if (target_ == HttpAuth::AUTH_SERVER && auth_url_.has_username() &&
       !embedded_identity_used_) {
-    identity_.source = HttpAuth::IDENT_SRC_URL;
-    identity_.invalid = false;
-    // Extract the username:password from the URL.
-    string16 username;
-    string16 password;
-    GetIdentityFromURL(auth_url_, &username, &password);
-    identity_.credentials.Set(username, password);
     embedded_identity_used_ = true;
-    // TODO(eroman): If the password is blank, should we also try combining
-    // with a password from the cache?
     UMA_HISTOGRAM_BOOLEAN("net.HttpIdentSrcURL", true);
-    return true;
   }
 
   // Check the auth cache for a realm entry.