New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 82250 link

Starred by 3 users

Issue metadata

Status: WontFix
Last visit > 30 days ago
Closed: Feb 2012
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug

  • Only users with Commit permission may comment.

Sign in to add a comment

HTTP username:password stripped out from links

Reported by, May 11 2011

Issue description

Chrome Version       : 11.0.696.65
OS Version: OS X 10.6.7
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5: OK
  Firefox 4.x: OK

What steps will reproduce the problem?
1. Create a test HTML page with the following content:

<a href="">Link</a>

2. Load the page in Chrome

What is the expected result?

The username and password are passed to the destination URL.

What happens instead?

The username and password are stripped out when clicking the link so they are not passed to the destination URL to automatically log in through HTTP AUTH.

Please provide any additional information below. Attach a screenshot if

UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Screen shot 2011-05-11 at 08.58.09.png
109 KB View Download

Comment 1 by, May 15 2011

Labels: -Area-Undefined Area-Internals internals-network
Status: Untriaged

Comment 2 by, May 16 2011

Cc: a deleted user
Labels: -internals-network Internals-Network-Auth Mstone-14
Owner: a deleted user
Status: Assigned
ahendrickson: could you find out where Chrome strips username:password
from the URL when you click the link?  Thanks.

Comment 3 by Deleted ...@, Jun 8 2011

I have the same issue. It does not happen always, sometimes the link with username and password works, sometimes it doesn't. Thanks.

Comment 5 by, Jul 28 2011

Labels: -Mstone-14 Mstone-15 MovedFrom-14
Punting out non-critical bugs.  Please move back to 14 if you believe this was done in error.
Labels: -Mstone-15 -MovedFrom-14
I tried out a number of cases and was unable to reproduce the problem. 

If you have a reproducible case, please point to a page where this is encountering issues or provide a net-internal dump:

Status: WontFix
Support for embedded username/password in URLs is being removed from Chrome. Moving to WontFix.

Comment 8 by Deleted ...@, Jun 2 2012

Why? What is the rationale behind this?
I'm guessing copying internet explorer - which banned these a while ago. 

I think because a url like

can be misleading to users. To someone not aware of semantics of URLs, could easily think that is a geniune page. There are also some exploits that try to use strnage chars int eh passowrd (like a null byte) to fool the browser into stopping showing any more of the url. 
Project Member

Comment 10 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 11 by, Mar 10 2013

Labels: -Area-Internals -Internals-Network-Auth Cr-Internals Cr-Internals-Network-Auth

Sign in to add a comment