fix(history): use absolute path on http(s) to keep userinfo

packages/router/__tests__/history/html5.spec.ts

@@ -93,7 +93,7 @@ describe('History HTMl5', () => {
     expect(spy).toHaveBeenCalledWith(
       expect.anything(),
       expect.any(String),
-      'http://localhost:3000/foo'
+      '/foo'
     )
     history.push('//foo')
     expect(spy).toHaveBeenLastCalledWith(
@@ -104,6 +104,39 @@ describe('History HTMl5', () => {
     spy.mockRestore()
   })
 
+  it('passes an absolute path when document URL contains userinfo', () => {
+    getWindow().happyDOM.setURL('http://test:test@localhost:3000/')
+    const spy = vi.spyOn(window.history, 'replaceState')
+    createWebHistory()
+    expect(spy).toHaveBeenCalledWith(expect.anything(), expect.any(String), '/')
+    spy.mockRestore()
+  })
+
+  it('keeps userinfo when prepending the host for // urls', () => {
+    getWindow().happyDOM.setURL('http://test:test@localhost:3000/')
+    const history = createWebHistory()
+    const spy = vi.spyOn(window.history, 'pushState')
+    history.push('//foo')
+    expect(spy).toHaveBeenLastCalledWith(
+      expect.anything(),
+      expect.any(String),
+      'http://test:test@localhost:3000//foo'
+    )
+    spy.mockRestore()
+  })
+
+  it('prepends the file:// origin on file documents without a hash base', () => {
+    getWindow().happyDOM.setURL('file:///app/index.html')
+    const spy = vi.spyOn(window.history, 'replaceState')
+    createWebHistory()
+    expect(spy).toHaveBeenCalledWith(
+      expect.anything(),
+      expect.any(String),
+      'file:///app/index.html'
+    )
+    spy.mockRestore()
+  })
+
   describe('specific to base containing a hash', () => {
     it('calls push with hash part of the url with a base', () => {
       getWindow().happyDOM.setURL('file:///usr/etc/index.html')

packages/router/src/history/html5.ts

@@ -19,7 +19,17 @@ import { assign } from '../utils'
 
 type PopStateListener = (this: Window, ev: PopStateEvent) => any
 
-let createBaseLocation = () => location.protocol + '//' + location.host
+let createBaseLocation = () => {
+  // location.host omits userinfo, but pushState/replaceState on Chromium
+  // requires the URL to match the document URL including userinfo (#2714).
+  // Parse it back via the URL constructor.
+  const { protocol, host } = location
+  const { username, password } = new URL(location.href)
+  const userinfo = username
+    ? username + (password ? ':' + password : '') + '@'
+    : ''
+  return protocol + '//' + userinfo + host
+}
 
 interface StateEntry extends HistoryState {
   back: HistoryLocation | null
@@ -227,7 +237,14 @@ function useHistoryStateNavigation(base: string) {
         ? (location.host && document.querySelector('base')
             ? base
             : base.slice(hashIndex)) + to
-        : createBaseLocation() + base + to
+        : // pass an absolute path on http(s) so the browser resolves it
+          // against the document URL — preserves userinfo and avoids
+          // Chromium's SecurityError on basic-auth URLs (#2714). The explicit
+          // origin is still needed for file:// (no host) and protocol-relative
+          // `//` paths (#261).
+          location.protocol === 'file:' || (base + to).startsWith('//')
+          ? createBaseLocation() + base + to
+          : base + to
     try {
       // BROWSER QUIRK
       // NOTE: Safari throws a SecurityError when calling this function 100 times in 30 seconds