1

This is a security question regarding a URL

If I have this URL https://www.wikipedia.org and I place an @ symbol on the end of the URL followed by a domain like so https://www.wikipedia.org@google.com why does this redirect me to google.com and not just fail. This is a major security risk as people can be redirected to alternative URL's. Can anyone please explain why this is a feature in Google Chrome?

user3500000
  • 33
  • 6

1 Answers1

2

The @ symbol in a URL is used to specify authentication details, as per RFC 3986 Section 3.2.1. Usually, you'd see it appear similar to http://username:password@domain.com to pass username and password to a domain.

In your example, the www.wikipedia.org (before the @ symbol) would be sent in the HTTP Authorization header to sites expecting it. It isn't redirecting to another domain. It's sending the part before the @ symbol to the stated domain (in your case, google.com).

This is perfectly valid per the HTTP specification. This doesn't really present a particular security risk, since the full domain is visible to the user before they submit the request. It's not injected or added without the user's knowledge. This would be no more of a security risk than if someone decided to create a multi-level subdomain on their site like http://wikipedia.com.someothersite.com. Deceptive maybe, but no more of a security risk than the inherent risk in using the internet.

Community
  • 1
  • 1
JoshG
  • 6,472
  • 2
  • 38
  • 61
  • Thankyou for this information but your example does not work for me. Can you please show me a working example? – user3500000 May 05 '21 at 22:05
  • @user3500000 I apologize, the example site no longer supports this. But this other SO question contains more info related to what I was describing that might be helpful: https://stackoverflow.com/questions/4980912/username-and-password-in-https-url – JoshG May 06 '21 at 07:58