Microsoft to Change IE Behavior to Block Spoofing AttacksBy Larry Seltzer | Posted 2004-01-29 Email Print
WEBINAR: Event Date: Tues, December 5, 2017 at 1:00 p.m. ET/10:00 a.m. PT
How Real-World Numbers Make the Case for SSDs in the Data Center REGISTER >
http://username:password@server/file.html syntax to be disallowed by an upcoming software update. Problematic feature was recently made more dangerous by the unveiling of a display bug in browser.Microsoft Corp. has announced in a support document that it will be releasing a software update to Internet Explorer and Windows Explorer to disable the use of certain syntax in HTTP URLs. The syntax, designed to allow a username and password to be passed to a password-protected page, has a history of abuse. The company did not give a timeline for the release of the patch.
The syntax takes the form http[s]://username:password@server/file.html, such as http://joe:email@example.com/, where "joe" is the username and "blow" is the password. But a site that does not look for the username and password will ignore the values passed, and only the string after the "@" symbol is used for the domain name. Other browsers support this syntax to varying degrees.