Microsoft just posted a security update for Internet Explorer. One of the fixes is to disabled username and passwords for HTTP URLs. This is to prevent spoofing sites with URLs like http://www.paypal.com@evilscammer.com/ that confuse naive users about which sites they are browinsg. Unluckily, it violates the URL standard and breaks useful behavior.
This affects one of our websites. The protected section of the website uses basic authentication. The username and password are put in the URL to access the content pages. This is a pretty stupid way of doing authentication since the username and password are exposed. But the content pages are accessed through a CGI script and in a frame so the URLs are not visible.
I think Microsoft should have chosen a different solution to the problem. This would be not showing the username and password in the URL bar or status bar. The username (and auth mechanism) should show in a "Page Info". Hiding information is bad (it would make debugging harder) but deceiving users is worse.
To make it clear when the authentication happens, the window should popup but with the username and password filled in from the URL. This makes it obvious that authentication is happening. It also lets the user see the username and password. This doesn't help with spoof sites which probably don't use any authentication.
