fix: use OR operator in includesCredentials per WHATWG URL Standard (#4816)

jackhax · web-flow · commit a821c5669fa6 · 2026-02-07T08:16:34.000-05:00
diff --git a/lib/web/fetch/util.js b/lib/web/fetch/util.js
@@ -1439,7 +1439,7 @@ function hasAuthenticationEntry (request) {
  */
 function includesCredentials (url) {
   // A URL includes credentials if its username or password is not the empty string.
-  return !!(url.username && url.password)
+  return !!(url.username || url.password)
 }
 
 /**
diff --git a/test/fetch/includes-credentials.js b/test/fetch/includes-credentials.js
@@ -0,0 +1,24 @@
+'use strict'
+
+const { test } = require('node:test')
+const { includesCredentials } = require('../../lib/web/fetch/util')
+
+test('includesCredentials returns true for URL with both username and password', () => {
+  const url = new URL('http://user:pass@example.com')
+  require('node:assert').strictEqual(includesCredentials(url), true)
+})
+
+test('includesCredentials returns true for URL with only username', () => {
+  const url = new URL('http://user@example.com')
+  require('node:assert').strictEqual(includesCredentials(url), true)
+})
+
+test('includesCredentials returns true for URL with only password', () => {
+  const url = new URL('http://:pass@example.com')
+  require('node:assert').strictEqual(includesCredentials(url), true)
+})
+
+test('includesCredentials returns false for URL with no credentials', () => {
+  const url = new URL('http://example.com')
+  require('node:assert').strictEqual(includesCredentials(url), false)
+})

Original file line number	Diff line number	Diff line change
`@@ -1439,7 +1439,7 @@ function hasAuthenticationEntry (request) {`
`1439`	`1439`	`*/`
`1440`	`1440`	`function includesCredentials (url) {`
`1441`	`1441`	`// A URL includes credentials if its username or password is not the empty string.`
`1442`		`- return !!(url.username && url.password)`
	`1442`	`+ return !!(url.username \|\| url.password)`
`1443`	`1443`	`}`
`1444`	`1444`
`1445`	`1445`	`/**`