When navigation to a URL that includes HTTP Basic Auth login information in the format like USER:PASSWORD@example.com the part before the @ is ignored and a popup that asks for a username and a password is displayed
I think that this may be intentional, but cannot remember the details. Adding some people who may know.
Yeah, this would make it very easy to perform dictionary attacks or phish the end user in some way. Various groups, including the HTTP WG, have been deprecating this format for HTTP URLs.
Firefox and Chrome support this feature on mobile and Desktop. I don't see how this could be used for phishing. Could you elaborate on this? Could you send a link to the HTTP WG statement?
Thanks, I guess we should keep this open for now then. The phishing aspect for these URLs is mainly that you could put something before the `@` that might confuse the end user about where they are going. It's deprecated for all URLs apparently: https://www.rfc-editor.org/rfc/rfc3986.html#section-3.2.1. https://url.spec.whatwg.org agrees with this though states it in a less obvious manner.
<rdar://problem/116052283>