Using the ViewSource action on e.g. http://user:passwd@httpbin.org/basic-auth/user/passwd opens a view-source:http://user:passwd@httpbin.org/basic-auth/user/passwd URL.

Since the path of that new URL is set to the original URL, calling toDisplayString() on it will include the user and password.

In Chromium, using "view source" on the same page opens the URL view-source:http://httpbin.org/basic-auth/user/passwd with that not displayed. I'm not sure if it's needed internally to get the source though - it doesn't seem to be stripped out when the URL is created (probably only when displayed?).

When opening http://user:passwd@httpbin.org/basic-auth/user/passwd and then opening view-source:http://httpbin.org/basic-auth/user/passwd by hand it seems to work fine without asking for credentials, so QtWebEngine should probably just strip that out when constructing the URL.