Brief Summary
In URLs containing an @
symbol, the URL preview (in the bottom left hover, and the top-bar when on the site) could show something like https://<user>@domain.ext/page
, to make it clear what the actual domain is.
This is to reduce the ease with which someone can be phished/misled by a URL that appears to be a legitimate source but is actually directed to some other domain later in the URL.
Details:
For some context, this article made me aware that there's apparently a niche URL functionality that allows specifying a username before an @
symbol in a URL, which in practice means a phisher can craft a legitimate looking URL that only has dodgy things at the end. That functionality has been made extra exploitable by Google's recent release of .mov
and .zip
web domain extensions, which could easily get confused as file extensions for a download.
Accordingly a URL like https://orionfeedback.org%2Fperfectly%2Fsafe%2Fdownload%2F@danger.zip would validly be directed to the danger.zip
website, and due to the browser's URL escape handling would show up as https://orionfeedback.org/perfectly/safe/download/@danger.zip
, so the only obvious sign that there's something wrong is the @
symbol near the end of the URL, which most people likely don't know to look for (and may not see).
With my proposed shrink notation that would instead show up in the preview as https://<user>@danger.zip
, which is much more obvious that it's not going to an expected location, and then legitimate usecases that want to confirm the username could hopefully click into the URL bar to see the full form instead of the shrunken one.