Hector Martin

You don’t need to support credentials in URLs in order to support basic auth. The credentials are placed in header fields in the HTTP get request.

Credentials in a URI is one (perhaps the only?) standard way for supplying the contents of that header field that is cross-application.

Microsoft disabled it in IE for security reasons, so it wasn’t all that cross-application. A standard rule of web development is never to put anything confidential in the URL because URLs leak all over the place. Browser history, for example.

The *point* of putting confidential information in the URL is to make it portable. So you can paste the URL into another app and it'll work. Yes, it's a tradeoff. But I don't expect the browser to deliberately leak them as non-discoverable xattrs on files.

RFC 3986 section 7.5: "URI producers should not provide a URI that contains a username or password that is intended to be secret. URIs are frequently displayed by browsers, stored in clear text bookmarks, and logged by user agent history and intermediary applications (proxies)."

RFC 3986 s 7.5 contnd: "A password appearing within the userinfo component is deprecated and should be considered an error (or simply ignored) except in those rare cases where the 'password' parameter is intended to be public."

So as per the RFCs, if you put a password in a URL, it's because you intend it to be public. So curl's behavior is fine. (Curl has command line arguments for specifying non-public usernames and passwords.)

I'm sorry, when did we go from "logged in your browser history" to "public"? Your argument is bullshit. You're saying that just because a particular thing has some (known) security caveats it's fine to gratuitously introduce more undiscoverable ones to bite people in the ass.