Hi Simone,
we are looking at this.
UI5 does certainly not build such URLs, just like that.
I assume you use an ODataModel with user and password parameters? In this case we feed user and password as separate parameters into the datajs third-party library. This library in turn passes them on as distinct parameters to the browser's XMLHTTPRequest.open(...) method. The URL still contains no user/password. But it's not fully clear what happens then. Tests with today's nightly build of Google Canary indicate that its own XMLHTTPRequest constructs this URL, which leads to the announced failure. So this behavior is not specific to UI5, but applies for any usage of the XHR object (which is more or less the base of the modern web) with its official user/password parameters, which have NOT been deprecated. In this light, the Chrome change looks like a strange/overambitious move that will break many things in the web.
However, for productive scenarios handling plaintext user/password within apps is anyway questionable. I'm not an expert, but that SAML/OAuth authentication where an access token is retrieved from a distinct login page might be better. Nevertheless, we keep an eye on this and might contact Google.
Regards
Andreas
Add comment