REOPENED261738
HTTP Basic Auth in URL not used 
https://bugs.webkit.org/show_bug.cgi?id=261738
Summary HTTP Basic Auth in URL not used
Janik Besendorf
Reported 2023-09-19 06:36:29 PDT
When navigation to a URL that includes HTTP Basic Auth login information in the format like USER:PASSWORD@example.com the part before the @ is ignored and a popup that asks for a username and a password is displayed
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2023-09-20 17:08:29 PDT
I think that this may be intentional, but cannot remember the details. Adding some people who may know.
Anne van Kesteren
Comment 2 2023-09-21 03:03:15 PDT
Yeah, this would make it very easy to perform dictionary attacks or phish the end user in some way. Various groups, including the HTTP WG, have been deprecating this format for HTTP URLs.
Janik Besendorf
Comment 3 2023-09-21 05:12:24 PDT
Firefox and Chrome support this feature on mobile and Desktop. I don't see how this could be used for phishing. Could you elaborate on this? Could you send a link to the HTTP WG statement?
Anne van Kesteren
Comment 4 2023-09-21 07:25:20 PDT
Thanks, I guess we should keep this open for now then. The phishing aspect for these URLs is mainly that you could put something before the `@` that might confuse the end user about where they are going. It's deprecated for all URLs apparently: https://www.rfc-editor.org/rfc/rfc3986.html#section-3.2.1. https://url.spec.whatwg.org agrees with this though states it in a less obvious manner.
Radar WebKit Bug Importer
Comment 5 2023-09-26 06:37:11 PDT
<rdar://problem/116052283>
Note You need to log in before you can comment on or make changes to this bug.