- From: Emily Stark <notifications@github.com>
- Date: Wed, 20 Mar 2019 21:01:25 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 21 March 2019 04:01:47 UTC
estark37 commented on this pull request. > -<ul class=brief> - <li><p>A <a for=/>URL</a>'s <a for=url>username</a> and <a for=url>password</a> should - not be rendered as they can be mistaken for a <a for=/>URL</a>'s <a for=url>host</a>. - E.g., consider <code>https://examplecorp.com@attacker.example/</code>. +<h4 id=url-rendering-simplification>Simplify non-human-readable or irrelevant components</h4> + +<p>Remove components that may provide opportunities for spoofing or distract from security-relevant +information: + +<ul> + <li><p>Browsers are encouraged to only render a URL’s <a for=url>host</a> in places where it is Done -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/pull/434#discussion_r267620374
Received on Thursday, 21 March 2019 04:01:47 UTC