Bug 10326 - make "user:password" in URLs a SYNTAX_ERR
make "user:password" in URLs a SYNTAX_ERR
Status: RESOLVED WORKSFORME
Product: WHATWG
Classification: Unclassified
Component: URL
unspecified
PC All
: P2 normal
: Unsorted
Assigned To: Anne
sideshowbarker+urlspec
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-09 12:30 UTC by Anne
Modified: 2012-11-24 16:12 UTC (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Anne 2010-08-09 12:30:42 UTC
Currently "user:password" is an optional feature and I would rather kill support for it entirely than leave it as such. Now it cannot be tested basically.

Can we do this?
Comment 1 Maciej Stachowiak 2010-08-09 22:33:33 UTC
How do implementations currently behave in this case?
Comment 2 Anne 2010-08-10 05:58:19 UTC
Webkit/Gecko both allow it. Opera prompts the user and does not let the user/password arguments of open() override it. I believe Internet Explorer does throw, but I cannot test it.
Comment 3 Anne 2010-08-10 07:27:36 UTC
Turns out Internet Explorer 9 does not throw (reportedly).

I think the simplest way forward is to remove

  If the "user:password" format in the userinfo production
  is not supported for the relevant scheme and url contains
  this format raise a SYNTAX_ERR and terminate these steps.

from the specification and let the URL parsing specification handle the details as to whether such URLs resolve or not.

For http/https they probably ought to resolve given the implementations that support them and I will add tests to the test suite for that.
Comment 4 Adrian Bateman [MSFT] 2010-08-10 18:37:20 UTC
IE9 doesn't support this syntax (it follows http://support.microsoft.com/kb/834489). The IE9 preview builds only demonstrate the platform and don't impose many security constraints including this one. The underlying web browser control platform makes this an option for the host application. When Internet Explorer is the host, the constraint is enforced.
Comment 5 Anne 2011-12-20 17:38:22 UTC
Adrian, sorry for not following up, does that mean IE does not support it in any URL, regardless of the scheme?
Comment 6 Adrian Bateman [MSFT] 2012-01-30 18:51:12 UTC
I think we still support it for ftp://.
Comment 7 Anne 2012-10-11 10:05:43 UTC
So I guess this is really a URL "bug". And about whether userinfo in an http/https URL should render it invalid. Only Internet Explorer appears to do this so I'm inclined to call it a bug in Internet Explorer unless there are particularly compelling reasons for everyone to align with their behavior.
Comment 8 Anne 2012-11-24 16:12:02 UTC
The situation in specs land is now as follows: user:password support is mandatory.