If you’re trying to trick people into thinking a domain name is legit and definitely not harmful, just put google.com@ in front of it.

I don’t know why this works, but it’s some kinda feature of URLs:

https://google.com@chriscoyier.net/

It’s not a Google thing, I think anything works:

https://daverupert.com@chriscoyier.net/

It opens a door to make functional URLs that go somewhere you really aren’t expecting:

https://definitely-safe-place-to@buy-drugzzz.com

I saw this in The Dangers of Google’s .zip TLD that used these examples:

https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

Try that first one. In all browsers, it takes you to the currently-non-existent v1271.zip, which is now a web address.

🤘

CodePen

I work on CodePen! I'd highly suggest you have a PRO account on CodePen, as it buys you private Pens, media uploads, realtime collaboration, and more.

Get CodePen PRO

6 responses to “If you’re trying to trick people into thinking a domain name is legit and definitely not harmful, just put google.com@ in front of it.”

  1. Adam Richeimer says:

    This is part of HTTP Basic Authentication. Some websites allow you to login using http://myusername:mypassword@example.com or if you leave out the password then you get a little modal from the browser asking for it. It’s easy to turn on with web servers like nginx. Useful for password protecting a page for a website before it is ready to go live.

  2. Ben says:

    Waaaaaay back, you could send your credentials to a website like http://user:pass@totallysafe.com. Browsers would take the username and password and inject them into the Authorization header. AFAIK, no browsers will do this anymore, but they still respect the URL format, in case someone clicks on such a URL from an email from 1998.

  3. Tont says:

    Firefox warn the user about it.

  4. Nicolas says:

    Firefox does show a warning:

    You are about to log in to the site “chriscoyier.net” with the username “google%2Ecom”, but the website does not require authentication. This may be an attempt to trick you.
    Is “chriscoyier.net” the site you want to visit?

  5. Jans Carton says:

    It goes beyond HTTP and the web. It’s part of the URI spec — the “User Information” subcomponent of a URI.

    https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1

    The spec recommends that the userinfo subcomponent be rendered differently to avoid “Semantic Attacks”, which is not a very realistic option. They go on to describe the exact problem that Chris points out here:

    https://datatracker.ietf.org/doc/html/rfc3986#section-7.6

    You’ll see in the spec that the userinfo subcomponent is partially deprecated. In my opinion, it shouldn’t be supported by browsers at all.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ⬆️