Microsoft breaking IE’s URL parsing to ‘help’ users

Okay this bugs me.  Microsoft is changing the way Internet Explorer supports supplying authentication information in URLs.  Details are in this Knowledge Base article:  “Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs”. 

 

The problem is, this behaviour isn’t Microsoft’s to change, it’s specified as part of RFC 1738.

 

The annoying part is that, like with the change to Outlook that just eats “dangerous” attachments giving the user no recourse, this is breaking functionality that some users find useful.

 

There are other ways.

 

For example, parse the URL and display it differently.  If the URL is “http://cnn.com@evilhost.com” then display it as “http://evilhost.com (as cnn.com)” in the task bar and in the address bar.  The problem isn’t users typing in bad URLs, the problem is evil links in emails, webpages, instant messages, etc., so whenever IE receives a URL from anywhere other than the user typing it in, it could ask the user to verify that they want to connect to “http://evilhost.com“ and log as user “cnn.com”.  Users would notice that.  Not every single one, but certainly most of them.

 

Alternatively, turn it off by default but allow users to turn it back on.  Like I said, it bugs me that I can’t email a .EXE to someone, although the Internet standards certainly allow it, and there’s nothing I can do about it.