Microsoft to Change IE Behavior to Block Spoofing

"Microsoft Corp. has announced in a support document that it will be releasing a software update to Internet Explorer and Windows Explorer to disable the use of certain syntax in HTTP URLs. The syntax, designed to allow a username and password to be passed to a password-protected page, has a history of abuse. The company did not give a timeline for the release of the patch.

The syntax takes the form http[s]://username:password@server/file.html, such as 'http://joe:blow@www.microsoft.com/', where 'joe' is the username and 'blow' is the password. But a site that does not look for the username and password will ignore the values passed, and only the string after the '@' symbol is used for the domain name. Other browsers support this syntax to varying degrees."

ieXbeta Board - Microsoft to Change IE Behavior to Block Spoofing