url: drop auth in url.resolve() if host changes

[rlidwka]

#1435

Not sure how to handle this though.

[brendanashworth]

I wonder what should happen in this case?

url.resolve('mailto:user@example.org', 'example.com')
'mailto:user@example.com'

"user@" technically is auth info here.

I don't think it should copy over. However, to change that would be semver-major imo. This would be better:

> var parsed = url.parse('mailto:user@example.org');
undefined
> parsed.host = 'example.com';
'example.com'
> url.format(parsed);
'mailto:user@example.com'

[brendanashworth]

perhaps @domenic would be interested in reviewing?

[domenic]

What do browsers do? What does the spec (perhaps best tested via https://github.com/jsdom/whatwg-url) do?

[trevnorris]

I agree with @domenic. Our url module should align with the spec.

[jasnell]

Looks like this was never resolved. There's really no question that the user id and password should not be getting copied over.. url.resolve('http://user:pass@example.org', 'http://example.com') should never resolve out to http://user:pass@example.com. AFAICT, that aligns with the url spec also.

[jasnell]

@nodejs/http

[dougwilson]

I concur with @jasnell and this PR

[jasnell]

New CI: https://ci.nodejs.org/job/node-test-pull-request/2370/

[jasnell]

@nodejs/ctc ... amazingly, this PR was opened a year ago and still applies cleanly (albeit using a three way merge). It even passes linting! The change LGTM.

marked it semver-major because it changes the behavior of url.resolve to drop the auth but it could also be classified as a bug fix. PTAL

[jasnell]

CI is green!

[jasnell]

@mscdex @cjihrig @trevnorris ... can one of you give this a quick glance over?

[mscdex]

This should be changed to point to the nodejs/node repo

[jasnell]

Yep, I was going to change that upon landing (although, I kinda like that it still points to iojs, lol)

[mscdex]

LGTM

[jasnell]

It only took 1 year and 5 days but this landed in eb4201f ;-)