HTTP username:password stripped out from links
Reported by professo...@gmail.com, May 11 2011
Chrome Version : 11.0.696.65 OS Version: OS X 10.6.7 URLs (if applicable) : Other browsers tested: Add OK or FAIL after other browsers where you have tested this issue: Safari 5: OK Firefox 4.x: OK What steps will reproduce the problem? 1. Create a test HTML page with the following content: <a href="http://user:firstname.lastname@example.org">Link</a> 2. Load the page in Chrome What is the expected result? The username and password are passed to the destination URL. What happens instead? The username and password are stripped out when clicking the link so they are not passed to the destination URL to automatically log in through HTTP AUTH. Please provide any additional information below. Attach a screenshot if possible. UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
May 15 2011,
May 16 2011,
ahendrickson: could you find out where Chrome strips username:password from the URL when you click the link? Thanks.
Jun 8 2011,
I have the same issue. It does not happen always, sometimes the link with username and password works, sometimes it doesn't. Thanks.
Jul 20 2011,
Jul 28 2011,
Punting out non-critical bugs. Please move back to 14 if you believe this was done in error.
Sep 2 2011,
I tried out a number of cases and was unable to reproduce the problem. If you have a reproducible case, please point to a page where this is encountering issues or provide a net-internal dump: http://dev.chromium.org/for-testers/providing-network-details Thanks
Feb 10 2012,
Support for embedded username/password in URLs is being removed from Chrome. Moving to WontFix.
Jun 2 2012,
Why? What is the rationale behind this?
Jun 2 2012,
I'm guessing copying internet explorer - which banned these a while ago. I think because a url like http://www.google.com:email@example.com/ can be misleading to users. To someone not aware of semantics of URLs, could easily think that is a geniune google.com page. There are also some exploits that try to use strnage chars int eh passowrd (like a null byte) to fool the browser into stopping showing any more of the url.
Oct 13 2012,
This issue has been closed for some time. No one will pay attention to new comments. If you are seeing this bug or have new data, please click New Issue to start a new bug.
Mar 10 2013,
Sign in to add a comment