- From: Marco Cancellieri <me@marco.sh>
- Date: Tue, 14 Apr 2026 00:09:21 +0200
- To: public-webappsec@w3.org
- Message-ID: <CAM1r9pr+JthjWmXcF05=k8SF6ySASy+gBxnCCnPkiE5AVA+GwA@mail.gmail.com>
Hi all, I wanted to raise an issue that may be worth discussing in this group. The URL syntax allows a userinfo component before the host, separated by `@`. This is a legacy feature that sees little legitimate use in HTTP(S) URLs today, but can be used to construct deceptive URLs such as: https://paypal.com@evil.com/login Here, the actual destination is evil.com (paypal.com is the username field). Users reading the URL left-to-right are likely to mistake the userinfo for the destination host. Some browsers currently strip the userinfo silently before making the request, but this still results in the user landing on the unintended destination without any indication that the URL was unusual. One possible approach would be to display a warning before navigation when the userinfo portion of an http(s) URL resembles a domain name, for example when it contains a dot and matches a known public suffix. This is already used by browsers for cookie scoping, so the infrastructure exists. I think this is worth defining guidance on, and would welcome discussion. Thank you, Marco
Received on Wednesday, 15 April 2026 09:50:25 UTC