Internet Explorer is removing support for URIs 2

Forget everything I say below. I’m an idiot. Read the comments to see why.

As I mentioned in an earlier post IE is having some very serious problems with URIs that contains user names and passwords. Support for user name and passwords is a required part of the URI specification. Now, instead of fixing the real bug Microsoft is planning to break their support for the URI standard.

This is the second time in a short time Microsoft chooses to break IE instead of fixing it in a satisfactory way. (Last time they broke window.moveTo because they didn’t manage to fix a drag and drop bug/exploit.) Would it not be better to hide the user name and password section in the status bar and address bar? Hiding it in the status bar is trivial and does not have any undesired side effects. Hiding it in the address bar might have some negative side effects. For example if I type and since I misspelled the password I will not be able to log in. Now it would show and I would not know that I misstyped the password.

  • Jason Mauer

    Actually, the change results in IE now conforming to the standard. The URL spec explicitly states that username and password are not allowed for HTTP.

    Check it out at – look for Section 3.3 (HTTP) and the following:

    An HTTP URL takes the form:


    where and are as described in Section 3.1. If :
    is omitted, the port defaults to 80. No user name or password is
    allowed. is an HTTP selector, and is a query
    string. The is optional, as is the and its
    preceding “?”. If neither nor is present, the “/”
    may also be omitted.

    So if you’re pushing the standards argument, you could have complained about it before the patch, but not after :)

  • brian parker

    No Eric, you are not an idiot. Their is an RFC that microsoft links to legitimizing the use of the user:pw@domain syntax. See RFC 1738 (

    And Here’s the snip…

    3.1. Common Internet Scheme Syntax

    While the syntax for the rest of the URL may vary depending on the
    particular scheme selected, URL schemes that involve the direct use
    of an IP-based protocol to a specified host on the Internet use a
    common syntax for the scheme-specific data:


    Some or all of the parts “:@”, “:”,
    “:”, and “/” may be excluded. The scheme specific
    data start with a double slash “//” to indicate that it complies with
    the common Internet scheme syntax. The different components obey the
    following rules:

    An optional user name. Some schemes (e.g., ftp) allow the
    specification of a user name.

    An optional password. If present, it follows the user
    name separated from it by a colon.

    The user name (and password), if present, are followed by a
    commercial at-sign “@”. Within the user and password field, any “:”,
    “@”, or “/” must be encoded.

    Note that an empty user name or password is different than no user
    name or password; there is no way to specify a password without
    specifying a user name. E.g., has an empty
    user name and no password, has no user name,
    while has a user name of “foo” and an
    empty password.