When I open a URL to a website using HTTP Basic Auth that contains username/password, for example:
https://foo:[email protected]/basic-auth/foo/bar
Checking via browser console shows that location.href returns the URL without credentials (ie. https://httpbin.org/basic-auth/foo/bar).
However document.URL returns the URL with credentials (https://foo:[email protected]/basic-auth/foo/bar).
I haven’t found any mentions of this being intentional difference between these two accessors. Is this a browser bug, an implementation detail or stable standard-defined behavior?