Entering user:pass@host in address bar without scheme assumes search

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
4 years ago
10 months ago

People

(Reporter: neil.garb, Unassigned)

Tracking

({sec-low})

38 Branch
sec-low
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150511103818

Steps to reproduce:

I entered "user:pass@host.com" into the address bar with no scheme (i.e. no "http://").


Actual results:

I was taken to a Google search results page with "user:pass@host.com" as the search term.


Expected results:

I would expect Firefox to assume http (or better yet https) and make the request to host.com with the provided username and password.  Is it not a security concern that my credentials are passed on to Google?  It has become habit not to include the scheme when browsing in general (typing "facebook.com" doesn't search Google for "facebook.com") so neither should "user:pass@host.com".
(Reporter)

Comment 1

4 years ago
Version is Mozilla Firefox for Ubuntu 38.0 (canonical - 1.0), as pre-installed with Xubuntu.
(Reporter)

Updated

4 years ago
OS: Unspecified → Linux
Hardware: Unspecified → x86_64

Comment 2

4 years ago
Related:
Bug 266604
Bug 662206
Component: Untriaged → Location Bar
Keywords: sec-low
OS: Linux → All
Hardware: x86_64 → All
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.