When I open a URL to a website using HTTP Basic Auth that contains username/password, for example:
https://foo:bar@httpbin.org/basic-auth/foo/bar
Checking via browser console shows that location.href returns the URL without credentials (ie. https://httpbin.org/basic-auth/foo/bar).
However document.URL returns the URL with credentials (https://foo:bar@httpbin.org/basic-auth/foo/bar).
I haven't found any mentions of this being intentional difference between these two accessors. Is this a browser bug, an implementation detail or stable standard-defined behavior?
TLDR: In current HTML specification (Sept 2024), location.href should behave the same way as document.URL does (see this discussion with annevk, one of the Web Standard engineers). All parts of the URL should be included, and therefore it is an implementation mistake for browsers to redact it for security reasons.
Implementation-wise, Chromium, Firefox, and Safari (Webkit) explicitly removed the credential parts from location.href before exposing to JavaScript interfaces.
I assume that the browser guys don't share a consensus since Chromium devs were asking what's other browsers default behavior and Firefox seems to implemented such feature a long time ago (at least before Mozilla 1.0).
For document.URL, it seems correct to return the full URL with credentials as per spec (not explicitly), and at least Chromium and Firefox followed it (I didn't test on Safari).
Specification-wise, the two properties are "defined to be identical", and location.href should not "omit parts of the URL". However, this API level credential redaction behavior is not yet standardized but "definitely have to be standardized somehow".