This repository has been archived by the owner on Jul 23, 2022. It is now read-only.
Figure out whether embedded credentials are supposed to be allowed in URLs #129
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Currently, we allow embedded credentials in URLs, because I haven't put in a check to explicitly disallow them. There's a comment to the effect that they're not supposed to be allowed in the Chrome codebase, and I could swear at one point I saw the code that actually implemented this check, but I can't find it now.
I think this might be security-relevant but am not super clear on the details. I wish there was an actual spec...
The text was updated successfully, but these errors were encountered: