New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 82250 link

Starred by 3 users

Issue metadata

Status: WontFix
Owner:
Last visit > 30 days ago
Closed: Feb 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

HTTP username:password stripped out from links

Reported by professo...@gmail.com, May 11 2011

Issue description

Chrome Version       : 11.0.696.65
OS Version: OS X 10.6.7
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5: OK
  Firefox 4.x: OK

What steps will reproduce the problem?
1. Create a test HTML page with the following content:

<a href="http://user:pass@example.com">Link</a>

2. Load the page in Chrome

What is the expected result?

The username and password are passed to the destination URL.

What happens instead?

The username and password are stripped out when clicking the link so they are not passed to the destination URL to automatically log in through HTTP AUTH.

Please provide any additional information below. Attach a screenshot if
possible.

UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
 
Screen shot 2011-05-11 at 08.58.09.png
109 KB View Download

Comment 1 by gavinp@chromium.org, May 15 2011

Labels: -Area-Undefined Area-Internals internals-network
Status: Untriaged

Comment 2 by wtc@chromium.org, May 16 2011

Cc: a deleted user wtc@chromium.org a...@gmail.com eroman%c...@gtempaccount.com
Labels: -internals-network Internals-Network-Auth Mstone-14
Owner: a deleted user
Status: Assigned
ahendrickson: could you find out where Chrome strips username:password
from the URL when you click the link?  Thanks.

Comment 3 by Deleted ...@, Jun 8 2011

I have the same issue. It does not happen always, sometimes the link with username and password works, sometimes it doesn't. Thanks.
Owner: cbentzel@chromium.org

Comment 5 by k...@google.com, Jul 28 2011

Labels: -Mstone-14 Mstone-15 MovedFrom-14
Punting out non-critical bugs.  Please move back to 14 if you believe this was done in error.
Labels: -Mstone-15 -MovedFrom-14
I tried out a number of cases and was unable to reproduce the problem. 

If you have a reproducible case, please point to a page where this is encountering issues or provide a net-internal dump:
 http://dev.chromium.org/for-testers/providing-network-details

Thanks
Cc: tsepez@chromium.org
Status: WontFix
Support for embedded username/password in URLs is being removed from Chrome. Moving to WontFix.

Comment 8 by Deleted ...@, Jun 2 2012

Why? What is the rationale behind this?
I'm guessing copying internet explorer - which banned these a while ago. 

I think because a url like

http://www.google.com:search@evil.com/

can be misleading to users. To someone not aware of semantics of URLs, could easily think that is a geniune google.com page. There are also some exploits that try to use strnage chars int eh passowrd (like a null byte) to fool the browser into stopping showing any more of the url. 
Project Member

Comment 10 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals -Internals-Network-Auth Cr-Internals Cr-Internals-Network-Auth

Sign in to add a comment