This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
This bug is opened on behalf of David Walp, based on http://lists.w3.org/Archives/Public/public-webapps/2014OctDec/0505.html Original comment: Yes, we, Microsoft, are of the opinion that exposing passwords is a bad idea. Based on received feedback, customers agree and I suspect our customers are not unique on this opinion.
This is how e.g. XMLHttpRequest implements the user/password arguments. Has Microsoft dropped support for these in ftp URLs too now or are they still not telling the whole story when giving feedback?
A concrete example of an intentional difference from the proposed standard: http://intertwingly.net/projects/pegurl/urltest-results/7357a04b5b IE intentionally raises an exception of somebody attempts to fetch the href from an <a> element if that element contains a password.
Nothing is fetched in that test right? You mean invoking href's getter? I don't think that should ever throw. I don't really see what attack that would protect against.
Ah, I should have avoided the word 'fetch' as it has other meanings in this context. :-) Yes, I meant invoking the getter for href on an anchor (<a>) element. Do you have an alternative to throwing an exception to suggest that meets the stated customer requirements?
Yeah, align with all the other UAs. I don't see the security problem. The password can also be retrieved through getAttribute().
document.querySelector('a').getAttribute('href') does indeed expose the password with IE11.
Apologies to Microsoft for comment 1, that was out of line. The last time this was discussed in the context of XMLHttpRequest it turned out that username/password was not disabled for all URL schemes. And it wasn't clear what they were protecting against. That is why the URL specification aligned with the majority of implementations. There's definitely something to say for not handling URLs that username/password set in Fetch, at least for certain type of fetches, but that's a separate discussion (recently held on blink-dev).
This syntax is deprecated per RFC 3986 and RFC 7230. See: http://www.ietf.org/mail-archive/web/apps-discuss/current/msg13571.html At a minimum, URLs that contain a non-blank password should be considered a conformance error.
Probably related, but maybe it deserved a proper bug at Moz. https://bugzilla.mozilla.org/show_bug.cgi?id=479038
Related: https://support.microsoft.com/en-us/kb/834489
So yeah, if we want to match the RFCs we should make both username and password a conformance error. That seems very reasonable to me.
https://github.com/whatwg/url/commit/e0c721b680d0977013ef2a14ba578388c01bd331