[josteink]

Someone can provide you with a clickable link, as in for instance this submission, and you would never even know that the content you are accessing is supposed to be "protected".

[gabemart]

You can format a link to be something like:

http://username:password@members.example.com

I wouldn't say that means the account in question is unprotected.

[josteink]

If you are going to nitpick, I will say that this is a feature that relies on browser-support. It's not fundamental to the web. Query-strings however by definition needs to be supported on the server-side. They are a part of the web. They are required for the web to work.

Why is "browser-support" relevant? Your example is not supported in MSIE. I also thought it was removed from Chrome (in the name of "simplicity"), but I may be wrong.

A link with query-strings is guaranteed to work for everyone.

http://support.microsoft.com/kb/834489

[gabemart]

Huh, I had no idea that feature had been deprecated. I guess it's been a little longer since I used it than I thought.

[josteink]

It was used for lots of http://famous-website.com:long-token-nobody-will-ever-read@p... style attacks.

Microsoft's solution to the problem may not have been ideal, but at least that was the reasoning behind it.

Edit: And what do you see once you click post? Hacker news ironically proving Microsoft's point. It's a wonderful world we live in.

[robmurrer]

I see your point, but how does this apply to this case?