Here's one for example.com. Without the host header, it still misbehaves, but it at least does something.
While nice, I can't help but imagine the mayhem once someone finds a URL parsing bug that leads to remote code execution. Then again, URL parsing is decades old now, the odds that it still contains a RCE is probably low.
Non of them accept Dotted overflow, Class B or Class C.
Decimal Dotted http://192.168.0.1/
Decimal Dotted Overflow http://448.424.256.257/
Decimal Long http://3232235521/
Decimal Long Overflow http://7527202817/
Decimal Class A http://192.11010049/
Decimal Class B http://49320.1/
Decimal Class C http://12625920.1/
Decimal Long with auth http://fake.site@3232235521/
Octal Dotted http://0300.0250.00.01/
Octal Dotted Overflow http://0700.0650.0400.0401/
Octal Long http://030052000001/
Octal Long Overflow http://070052000001/
Octal Class A http://0300.052000001/
Octal Class B http://0140250.01/
Octal Class C http://060124000.01/
Octal Long with auth http://fake.site@030052000001/
Hex Dotted http://0xc0.0xa8.0x0.0x1/
Hex Dotted Overflow http://0x1c0.0x1a8.0x100.0x101/
Hex Long http://0xc0a80001/
Hex Long Overflow http://0x1c0a80001/
Hex Class A http://0xc0.0xa80001/
Hex Class B http://0xc0a8.0x1/
Hex Class C http://0xc0a800.0x1/
Hex Long with auth http://fake.site@0xc0a80001/
In the name of security the change way too many moving parts lately to push their hidden agenda.
Using HTTP in local LAN is fine. Using HTTP for non login-pages is fine. Using "basic authentification" (user:pwd@IP) is fine for certain use cases. Stop breaking things.
I am not using a Firefox anymore, they went insane lately, they don't bother about their community anymore. I am worried about Chrome too, TLS only for HTTP/2 is the wrong signal. So many times I couldn't open a HTTPS sites because the browser thinks the cert is broken - it was just a trivial page were I just want to read some text (not input anything) - just some me the page - something that wouldn't be a problem with HTTP.
If Firefox, Chrome or whoever want to destroy access to 1994-2017 websites, go to hell. Name your forked off thing TheMicrosoftNetwork (or what not) and see it tank rather quickly.
Huh, that's just security theater. The phisher could set up a website that does require authentication, thereby avoiding the warning.
The sensible thing to do would be to display the warning if the username contains unescaped dots.
(I.e., http://cnn.com:email@example.com/ would provoke warnings, but http://cnn%2Ecom:firstname.lastname@example.org/ would not.)
Chrome takes me to 188.8.131.52 no warning
Then I tried
Which stretches way past my laptops viewable URL bar... and it takes me right to badsite.null (or a valid site like example.com). If you need HTTPs you can redirect on badsite.null's web server. Very wild.
It's trivial to make users think they are not visiting evil.com, or just to serve evil content from evil2.com instead. This means a blacklist model of web addresses will never work, and even the most naive computer user uses a whitelist instead, if they pay attention to urls at all.
The username:email@example.com/... trick is the exception, and it's good that browsers are working on ways to mitigate this.
The creation of new TLDs in the last few years only increases the permutations.