115

Is it safe to use an @ symbol as part of a user? For example, a possible URL would be http://example.com/@dave.

The idea is that, nowadays, users are commonly called "@user", so why not make the user page "@username"?

unor
  • 92,415
  • 26
  • 211
  • 360
Geoff
  • 9,470
  • 13
  • 52
  • 67

5 Answers5

147

Percent-encoded …

You can use the @ character in HTTP URI paths if you percent-encode it as %40.

Many browsers would display it still as @, but e.g. when you copy-and-paste the URI into a text document, it will be %40.

… but also directly

Instead of percent-encoding it, you may use @ directly in the HTTP URI path.

See the syntax for the path of an URI. Various unrelated clauses aside, the path may consist of characters in the segment, segment-nz, or segment-nz-nc set. segment and segment-nz consist of characters from the pchar set, which is defined as:

pchar = unreserved / pct-encoded / sub-delims / ":" / "@"

As you can see, the @ is listed explicitly.

The segment-nz-nc set also lists the @ character explicitly:

segment-nz-nc = 1*( unreserved / pct-encoded / sub-delims / "@" )

So, a HTTP URI like this is totally valid:

http://example.com/@dave

Example

Here is an example Wikipedia page:

  • link
  • copy-and-paste: http://en.wikipedia.org/wiki/%22@%22_%28album%29

As you can see, the ", (, and ) characters are percent-encoded, but the @ and the _ is used directly.

unor
  • 92,415
  • 26
  • 211
  • 360
  • 1
    Good news! But then, why don't Twitter does this? – Augustin Riedinger Jan 19 '15 at 20:03
  • 1
    @AugustinRiedinger: Could you provide an example URL? I don’t use Twitter, and from what I see they don’t use `@` in URLs anymore, but the old (?) profile URLs still work: [example with percent-encoded `@` (does **not** work!)](https://twitter.com/%40stackexchange) vs. [example using `@` directly (does work!)](https://twitter.com/@stackexchange). – unor Jan 19 '15 at 21:19
  • Interesting! Indeed, works with or without `@` in the case of Twitter. Their inner links do refer the the url without `@` though: https://twitter.com/@stackexchange – Augustin Riedinger Jan 19 '15 at 21:47
  • I had to upvote :3 The main issue with @-sign is that its also used by some applications to split username@somesite.com for direct authentication like SSH and such, but for HTTP plain and good, as soon as its after the first / I don't think there is any problem either. – Felype Aug 27 '15 at 16:30
  • should '@' and it's encoded form '%40' be treated as equivalent in a path according to the RFC? In other words does the RFC state that twitter.com/@stackexchange and twitter.com/%40stackexchange SHALL be treated equivalently? – Ralph Callaway Apr 28 '16 at 17:49
  • 1
    @RalphCallaway: AFAIK [only *unreserved* characters are equivalent to their percent-encoded form](http://stackoverflow.com/a/20865614/1591669), but the `@` is not [*unreserved*](http://tools.ietf.org/html/std66#section-2.3). So consumers must not assume that `%40` and `@` are equivalent. – unor Apr 28 '16 at 18:04
  • For reference, the separate question about this: [Must '@' and '%40' be treated equivalently in URL paths?](http://stackoverflow.com/q/36922192/1591669) – unor Apr 29 '16 at 13:44
  • 2
    `Many browsers would display it still as @, but e.g. when you copy-and-paste the URI into a text document, it will be %40.` That's not true for Chrome. – Defozo Jul 23 '16 at 12:55
  • Sub-delims, including @, are valid in the path -- but caveat they are intended to be used by specific URI schemes and/or URI routing algorithms. They are NOT meant to be actually parts of the path segment -- but separators and operators within a path segment. Ideally `example.com/myResource` and `example.com/myResource@taco/` route to the same execution entry point. or resource, but are interpreted differently by the system/framework/project you are using when it comes to serving http services – That Realty Programmer Guy May 27 '22 at 20:22
49

Can you use the @-symbol in a URL? - Yes, you can!

Note that that @-character, hexadecimal value 40, decimal value 64, is a reserved characters for URI's. It's usage is for things like email-addresses in mailto:URI's, for example mailto:username@somewhere.foo and for passing username and password information on a URI (which is a bad idea, but possible): http://username:password@somewhere.foo

If you want a URL that has an @-symbol in a path you need to encode it, with so called "URL-encoding". For example like this: http://somewhere.foo/profile/username%40somewhere.foo

All modern browsers will display this as http://somewhere.foo/profile/username@somewhere.foo, and will convert any typed in @-sign to %40, so it's easy to use.

Many web-frameworks will also help you either automatically, or with helper-functions, to convert to and from URL-encoded URL's.

So, in summary: Yes, you can use the @-symbol in a URL, but you have to make sure it's encoded, as you can't use the @-character.

Lennart Regebro
  • 167,292
  • 41
  • 224
  • 251
  • +1 perfect. Instead of relaying on the theory better to give a try. This is the thing I meant, thanks for making this as nice answer. – Praveen Oct 22 '13 at 07:38
  • 7
    Though encoding is not bad advice, `@` characters do not "need" to be encoded in the path part of a url (http://greenbytes.de/tech/webdav/rfc3986.html#path) – brianreavis Aug 07 '16 at 23:33
  • Is the reverse true? If I have a URL with an `@`, can I replace the `@` with `%40`? It seems to not be the case for the following: - URL with `@` works: https://replit.com/@joseville/Prime-Numbers - but URL with `%40` instead of `@` doesn't work: https://replit.com/%40joseville/Prime-Numbers – joseville Mar 10 '23 at 21:58
12

In the RFC the following characters:

* ' ( ) ; : @ & = + $ , / ? % # [ ]

are reserved and:

The purpose of reserved characters is to provide a set of delimiting characters that are distinguishable from other data within a URI.

So it is not recommended to use these characters without encoding.

Community
  • 1
  • 1
Salvador Dali
  • 214,103
  • 147
  • 703
  • 753
0

Basicaly no.

@ is a reserved character and should only be used for its intended purpose.

See: http://perishablepress.com/stop-using-unsafe-characters-in-urls/ and http://www.ietf.org/rfc/rfc3986.txt

It can be used encoded, but I don't think that is what you were asking.

Apparently modern browsers will handle this. However you asked if this was safe and according to the spec of the RFC you should not be using it (unencoded) unless it is for its intended purpose.

Flexo
  • 87,323
  • 22
  • 191
  • 272
Jon P
  • 19,442
  • 8
  • 49
  • 72
0

I found this question when I tried to search site:typescriptlang.org @ts-ignore at Chrome, and then got the result of This page isn't working, ts-ignore is currently unable to handle this request and I saw the URL became "http://site:typescriptlang.org%20@ts-ignore/". I felt so refused, then searched @ symbol's function at an URL and then I found my answer on Wikipedia.

The full format of the URL is scheme://userInfo@host:port/path?query#fragment. so when we search site:typescriptlang.org @ts-ignore, the browser will think you want to visit "http://site:typescriptlang.org%20@ts-ignore/". In this URL, http is a scheme, site:typescriptlang.org%20 is a userInfo ("%20" is escaped by a space character), "ts-ignore/" is a host. Of course, we can't visit the host named "ts-ignore" without a domain.

So, @ symbol can be a separator between userInfo and host.

Ptr2NextPole
  • 1
  • 1