From the latest Mozilla status report:
The dots in usernames and passwords encoded in URLs are now escaped (so http://www.mozilla.org:roadmap.html@evilscam.net/ becomes http://www%2Emozilla%2Eorg%3Aroadmap%2Ehtml@evilscam.net/), making phishing scams easier to detect (bug 240754).
This is a much more clever solution than simply removing the ability to specify usernames and passwords in URLs (something which I do in fact use every so often).
I've always thought syntax colouring looks prettier than escaping.
Why is that Mozilla developers, who talk all day about how more standards-compliant their browser is, are purposely introducing non-standard behavior?
Smarter than IE developers? No. More inconsistent than IE developers? Yes.# Anonymous coward
Huh? There's nothing standards-uncompliant about this. When a URL is visited, Mozilla re-encodes it to an exactly equivalent URL (it's equivalent because of standards!), but one which cannot be maliciously abused, then displays that URL in the address bar. It's just a UI issue.# Ian Bicking
Well, a lot of IE users don't have the address bar turned on. This was turned up by some usability survey - most people did not know what to do with a URL.
Well, if someone doesn't have the address bar switched on, there's no need to go to the trouble of using usernames & passwords in the URL to fool them.
Just send them HTML email with a link to http://evil.com/ and tell them its their bank. If they never see the URL at all, there's no need to do anything complicated to fool them.
Sheesh, you can't save everyone from their own ignorance all of the time!# AndyT