Say goodbye to URLs with embedded credentials

Leonid Makarov
Aug 21, 2017 · 3 min read
> [Deprecation] Subresource requests whose URLs contain embedded credentials (e.g. `https://user:pass@host/`) are blocked. See for more details.
3.2.1. User Information
Use of the format "user:password" in the userinfo field is deprecated.
7.5. Sensitive Information

URI producers should not provide a URI that contains a username or password that is intended to be secret. URIs are frequently displayed by browsers, stored in clear text bookmarks, and logged by user agent history and intermediary applications (proxies). A password appearing within the userinfo component is deprecated and should be considered an error (or simply ignored) except in those rare cases where the 'password' parameter is intended to be public.
macOS, Firefox
macOS, Safari
Windows 10, Edge
Windows 10, IE 11

Leonid Makarov

Written by

Chief Architect@FFW US, Docksal ( creator and maintainer

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade