- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 21 Apr 2026 14:23:38 -0700
- To: Marco Cancellieri <me@marco.sh>
- Cc: public-webappsec@w3.org
Received on Tuesday, 21 April 2026 21:24:09 UTC
> Some browsers currently strip the userinfo silently before making the request, There are browsers that don't? That would be the standard behavior: a user agent first makes the request without userinfo because you can't send a valid `Authorization` header until you get the `WWW-Authenticate` details from the 401 response. IE got away with rejecting those URLs as invalid, but it was EOL by the time Firefox gave up its lonely quest to warn people about it. The URL spec considers URLs containing userinfo to be "not valid"[1] but nonetheless carefully defines how to parse and serialize it, with web platform conformance tests to ensure browser interoperability [1] https://url.spec.whatwg.org/#:~:text=There%20is%20no%20way%20to%20express%20a%20username%20or%20password%20of%20a%20URL%20record%20within%20a%20valid%20URL%20string -Dan Veditz
Received on Tuesday, 21 April 2026 21:24:09 UTC