BlockCredentialedSubresources


#1

Hi All,

My ionic app is getting data from other URLs with the embedded username & password. It stopped working a few months ago and I got this error:

“[Deprecation] Subresource requests whose URLs contain embedded credentials (e.g. https://user:pass@host/) are blocked”

I could fix it when running with ionic server with the parameter “–disable-blink-features=BlockCredentialedSubresources” for Chrome. However, I am not sure how to fix this with the deployed android app.

Thanks.


#2

You need to rearchitect this, because section 3.2.1 of RFC 3986 mandates the deprecation:

Use of the format “user:password” in the userinfo field is
deprecated. Applications should not render as clear text any data after the first colon (":") character found within a userinfo subcomponent unless the data after the colon is the empty string (indicating no password). Applications may choose to ignore or reject such data when it is received as part of a reference and should reject the storage of such data in unencrypted form. The passing of authentication information in clear text has proven to be a security risk in almost every case where it has been used.