Explain the use-URL-credentials flag

domenic · web-flow · commit a388348c18d5 · 2022-10-22T22:59:05.000-04:00
Although, see #1496 for potential followup.
diff --git a/fetch.bs b/fetch.bs
@@ -1852,6 +1852,13 @@ which is "<code>omit</code>", "<code>same-origin</code>", or
 <dfn export for=request id=concept-request-use-url-credentials-flag>use-URL-credentials flag</dfn>.
 Unless stated otherwise, it is unset.
 
+<p class=note>When this flag is set, when a <a for=/>request</a>'s
+<a for=request>URL</a> has a <a for=url>username</a> and <a for=url>password</a>, and there is an
+available <a>authentication entry</a> for the <a for=/>request</a>, then the <a for=/>URL</a>'s
+credentials are preferred over that of the <a>authentication entry</a>. Modern specifications avoid
+setting this flag, since putting credentials in <a for=/>URLs</a> is discouraged, but some older
+features set it for compatibility reasons.
+
 <p>A <a for=/>request</a> has an associated
 <dfn export for=request id=concept-request-cache-mode>cache mode</dfn>, which is
 "<code>default</code>", "<code>no-store</code>", "<code>reload</code>",
