User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:22.214.171.124) Gecko/20070515 Firefox/126.96.36.199 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:188.8.131.52) Gecko/20070515 Firefox/184.108.40.206 It is possible to use the userinfo component of a URL to trick users into thinking they are at a different website than they are really at, as the above example demonstrates. Many users won't realize that they are at example.com, but will instead think they are at mybank.com. In fact, the majority of users probably won't even know what the userinfo component is. As the RFC (http://www.ietf.org/rfc/rfc1738.txt) states, userinfo isn't allowed in a HTTP URL. This really should be fixed, its a disaster waiting to happen. Reproducible: Always Steps to Reproduce: 1. Follow the given URL. Actual Results: Taken to example.com instead of mybank.com. Expected Results: Alerted the user that userinfo isn't allowed in URLs.
The RFC may say that, but that's not what's true in practice. Firefox 2 does give a warning on the URL you give; I don't know why you are not seeing it. Gerv
Firefox alerts the user saying they're really going to "example.com" and that a login may be an attempt to trick you. After the warning the userinfo is stripped from the address bar so that clearly shows example.com as well.
OK, my fault. Didn't do enough testing beforehand. Sorry about that.