I ran the serialization tests of bug 104919 against the URL Standard. I feel that the password being the empty string should be preserved. That is, http://:@apple.com/ should not become http://apple.com/. That would be more in line with RFC 3986 and Gecko.
I'm not sure about the case above where username is also empty. But I tend to agree for "http://a:@www.apple.com".
The URL Standard changed on this apparently: https://url.spec.whatwg.org/#concept-url-serializer https://jsdom.github.io/whatwg-url/#url=aHR0cDovLzpAYXBwbGUuY29tLw==&base=YWJvdXQ6Ymxhbms=