Network.http.phishy-userpass-length
Background
A popular method of disguising a website’s true location is to make use of the username/password syntax in URLs. Normally, when sites require authentication, users can specify the username and password directly in the URL thusly:
http://username:password@example.com/
(This is the same syntax that FTP URLs use.) However, this syntax can be abused to make it appear as though the URL is that of another host:
http://www.mozilla.org&login3:141592653589793238462643383279502884197169@example.com/evil
In response to this possibility, Microsoft removed the syntax from IE. Mozilla’s response was to use a dialog to warn the user when visiting URLs that use the username and password syntax (but not when manually entering them). This preference lets you determine what is considered “phishy” enough to warrant displaying the dialog.
Possible values and their effects
This integer preference can be a number between 0 and 255, inclusive. If the length of the HTTP username plus the length of the HTTP password is greater than this value, display the warning dialog. The default value is 1.
Recommended settings
You can disable the dialog entirely (for most cases) by setting the preference to 255. Naturally this should be done only if you are familiar with the username/password syntax for URLs.
First checked in
Has an effect in
- Mozilla Firefox (all versions since 1.0)
- Mozilla Suite (all versions since 1.7)
- SeaMonkey
Related bugs
- Bug 232567 - Warn when HTTP URL auth information isn’t necessary or when it’s provided
- Bug 243572 - Annoying confirm dialog on every request to site when using a user:password URL
