Closed Bug 267654 Opened 20 years ago Closed 20 years ago

user@ removed from URL

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
OS/2
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bugzilla.mozilla.org, Assigned: bugs)

Details

I have a homepage at http://schl@tter.de. 
The site checks the "schl" and redirects to the correct page. Firefox removes
the "schl" since it thinks this is a hacker trick.
(The site does not prompt for authentication)
With FF 1.0rc2 and Moz 1.8a5 I get 2 dialogs asking me if it is correct that I
want to tter.de with username schl although no auth is needed. 2x yes and I am
at http://tter.de/ (makeup-shop.de). The schl is removed from the URL bar only
(it affects only the display). That is for security reasons. Or do you mean
something different? What is the bug? You can also use http://schl:@tter.de/
(explicitly empty password) and then the URL bar shows http://@tter.de/.
Firefox does not send the authentication header. With MSIE, you end up at
another page.

How old an MSIE? current versions will not load such URLs at all -- I hit a
local error page before it even attempts to hit the network (as verified by my
firewall).

In any case HTTP would require us to send the user name only in response to a
site's request for authentication, so if the site doesn't request Auth then I
don't see how this could ever have worked. Of course the most recent HTTP spec
strongly and explicitly discourages URLs that contain user[:pass] info, which
why MS felt OK about dropping it entirely in response to phishing, and we
started putting up the warnings.
Component: Location Bar and Autocomplete → Networking: HTTP
Product: Firefox → Browser
Version: 1.0 Branch → Trunk
It works with MSIE 6

The problem is that the "user@" is removed from the url.

There are webhosters like strato which offer this redirection as "@domains".

Multiple users share a domain and the webserver (or better: a javascript) checks
the name before the "@" to decide which "subdomain" is desired.

It does not work with IE with all patches applied (I've got
6.0.2900.2180.xpsp_sp2_rtm.040803-2158). This is a conscious change Microsoft
made this year to stop supporting URLs of this type.

In the case of this site it works because, although we do not send the "schl"
part to the HTTP server since Auth is not requested, scripts on the initial page
look at parent.parent.location.href and get the user:pass from the DOM. The fact
that user:pass was ever present in location.href was itself a security/privacy hole.

If the server asks for authentication then it would be sent the user:pass
portion of the URL (though not in recent versions of IE as mentioned), and could
redirect based on that. It's much more likely that domain services that work
this way are doing server-based redirection rather than scripts in the entry
page, but I could be wrong. In any case they're going to have to change their
model since IE has changed. The most likely equivalent would be to use virtual
domains, that is, your initial URL would become http://schl.tter.de/ for exactly
the same number of characters. In this case you lose the a/@ equivalence
spelling your name, but in the general case . or @ doesn't make much difference.

You can restore the old behavior by setting the pref
browser.fixup.hide_user_pass to false. That doesn't help you much if you want to
hand these URLs out to other people, but might work for your own convenience.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
(In reply to comment #6)
> It does not work with IE with all patches applied (I've got
> 6.0.2900.2180.xpsp_sp2_rtm.040803-2158). This is a conscious change Microsoft
> made this year to stop supporting URLs of this type.
Yeah, since the April 2004 cumulative update for IE. See
http://www.ladlass.com/archives/001477.html and
http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 for details.

> You can restore the old behavior by setting the pref
> browser.fixup.hide_user_pass to false. That doesn't help you much if you want to
> hand these URLs out to other people, but might work for your own convenience.
For a similiar tweak for IE see the bottom at the above KB article.
You need to log in before you can comment on or make changes to this bug.