I have noticed that when I use the userinfo part (user:password) in an HTML attribute such as href or src, the Chrome dev tools seem to go crazy.
For example, if I navigate to http://localhost:8080 and the displayed document's HTML contains this:
<a href="http://kaczka:dziwaczka@google.pl">yo mama</a>
then the dev tools, upon hovering or copying the attribute value, yield http://localhost:8080/http://kaczka:dziwaczka@google.pl.
The link itself, however, works correctly when simply clicked.
Does anybody know wheter this is an issue with Chrome dev tools or some intentional feature? If this is intentional, why does this happen?
No, this is not by design. Rather, this type of URL has never been regarded to be completed correctly. Generally speaking, this type of credentials specification has been deprecated - use the Authorization HTTP header instead (see serverfault.com and https://code.google.com/p/chromium/issues/detail?id=123150).