Revert 120836 - Don't use IDENT_SRC_URL for HttpAuth challenges. IE hasn't supported it for years, and at worst it represents a session fixation attack.

BUG=94578
Review URL: https://chromiumcodereview.appspot.com/9307093

TBR=tsepez@chromium.org
Review URL: https://chromiumcodereview.appspot.com/9365001

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@120857 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 31 insertions, 0 deletions

diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 287e21b..bafbd6f 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -2465,6 +2465,37 @@ TEST_F(URLRequestTestHTTP, BasicAuthWithCookies) {
     EXPECT_TRUE(d.data_received().find("Cookie: got_challenged=true")
         != std::string::npos);
   }
+
+  // Same test as above, except this time the restart is initiated earlier
+  // (without user intervention since identity is embedded in the URL).
+  {
+    TestNetworkDelegate network_delegate;  // must outlive URLRequest
+    scoped_refptr<TestURLRequestContext> context(
+        new TestURLRequestContext(true));
+    context->set_network_delegate(&network_delegate);
+    context->Init();
+
+    TestDelegate d;
+
+    GURL::Replacements replacements;
+    std::string username("user2");
+    std::string password("secret");
+    replacements.SetUsernameStr(username);
+    replacements.SetPasswordStr(password);
+    GURL url_with_identity = url_requiring_auth.ReplaceComponents(replacements);
+
+    URLRequest r(url_with_identity, &d);
+    r.set_context(context);
+    r.Start();
+
+    MessageLoop::current()->Run();
+
+    EXPECT_TRUE(d.data_received().find("user2/secret") != std::string::npos);
+
+    // Make sure we sent the cookie in the restarted transaction.
+    EXPECT_TRUE(d.data_received().find("Cookie: got_challenged=true")
+        != std::string::npos);
+  }
 }
 
 TEST_F(URLRequestTest, DelayedCookieCallback) {