MozillaZine

Network.http.phishy-userpass-length

From MozillaZine Knowledge Base

Contents

Background

A popular method of disguising a website’s true location is to make use of the username/password syntax in URLs. Normally, when sites require authentication, users can specify the username and password directly in the URL thusly:

http://username:password@example.com/

(This is the same syntax that FTP URLs use.) However, this syntax can be abused to make it appear as though the URL is that of another host:

http://www.mozilla.org&login3:141592653589793238462643383279502884197169@example.com/evil

In response to this possibility, Microsoft removed the syntax from IE. Mozilla’s response was to use a dialog to warn the user when visiting URLs that use the username and password syntax (but not when manually entering them). This preference lets you determine what is considered “phishy” enough to warrant displaying the dialog.

Possible values and their effects

This integer preference can be a number between 0 and 255, inclusive. If the length of the HTTP username plus the length of the HTTP password is greater than this value, display the warning dialog. The default value is 1.

Recommended settings

You can disable the dialog entirely (for most cases) by setting the preference to 255. Naturally this should be done only if you are familiar with the username/password syntax for URLs.

First checked in

2004-04-15 by Darin Fisher

Has an effect in

  • Mozilla Firefox (all versions since 1.0)
  • Mozilla Suite (all versions since 1.7)
  • SeaMonkey

Related bugs

See also

External links