10326 2010-08-09 12:30:42 +0000 make "user:password" in URLs a SYNTAX_ERR 2012-11-24 16:12:02 +0000 1 1 1 Unclassified WHATWG URL unspecified PC All RESOLVED WORKSFORME P2 normal Unsorted 1 annevk annevk adrianba ap julian.reschke mike mjs public-webapps sideshowbarker+urlspec oldest_to_newest 37301 0 annevk 2010-08-09 12:30:42 +0000 Currently "user:password" is an optional feature and I would rather kill support for it entirely than leave it as such. Now it cannot be tested basically. Can we do this? 37324 1 mjs 2010-08-09 22:33:33 +0000 How do implementations currently behave in this case? 37328 2 annevk 2010-08-10 05:58:19 +0000 Webkit/Gecko both allow it. Opera prompts the user and does not let the user/password arguments of open() override it. I believe Internet Explorer does throw, but I cannot test it. 37330 3 annevk 2010-08-10 07:27:36 +0000 Turns out Internet Explorer 9 does not throw (reportedly). I think the simplest way forward is to remove If the "user:password" format in the userinfo production is not supported for the relevant scheme and url contains this format raise a SYNTAX_ERR and terminate these steps. from the specification and let the URL parsing specification handle the details as to whether such URLs resolve or not. For http/https they probably ought to resolve given the implementations that support them and I will add tests to the test suite for that. 37336 4 adrianba 2010-08-10 18:37:20 +0000 IE9 doesn't support this syntax (it follows http://support.microsoft.com/kb/834489). The IE9 preview builds only demonstrate the platform and don't impose many security constraints including this one. The underlying web browser control platform makes this an option for the host application. When Internet Explorer is the host, the constraint is enforced. 61824 5 annevk 2011-12-20 17:38:22 +0000 Adrian, sorry for not following up, does that mean IE does not support it in any URL, regardless of the scheme? 63345 6 adrianba 2012-01-30 18:51:12 +0000 I think we still support it for ftp://. 75957 7 annevk 2012-10-11 10:05:43 +0000 So I guess this is really a URL "bug". And about whether userinfo in an http/https URL should render it invalid. Only Internet Explorer appears to do this so I'm inclined to call it a bug in Internet Explorer unless there are particularly compelling reasons for everyone to align with their behavior. 78736 8 annevk 2012-11-24 16:12:02 +0000 The situation in specs land is now as follows: user:password support is mandatory.