Hover it with your cursor, watch what that actually links too, no markup cheating involved. Anything before the @ is just user information. Imagine clicking that and thinking you downlodaed a tagged build, only to get a malware?
It’s not the end of the world, but as a developer it makes great sense to just auto-block it to avoid an incident. The above URL is from this article, which says it’s not as big of huge problem too:
But it’s kind of a death by a thousand cuts to me, because it’s another thing with another set of consideration accross the internet ecosystem that one will have to deal with.
They are just more likely to be scam like, particularly since they can be assumed to be a file at a glance.
Even more deviously, crafty urls like this further hides what you are actually doing, like this:
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip
Hover it with your cursor, watch what that actually links too, no markup cheating involved. Anything before the @ is just user information. Imagine clicking that and thinking you downlodaed a tagged build, only to get a malware?
It’s not the end of the world, but as a developer it makes great sense to just auto-block it to avoid an incident. The above URL is from this article, which says it’s not as big of huge problem too:
https://www.theregister.com/2023/05/17/google_zip_mov_domains/
But it’s kind of a death by a thousand cuts to me, because it’s another thing with another set of consideration accross the internet ecosystem that one will have to deal with.