Message 294694 - Python tracker

I think the best behavior is to do what popular web browsers do. Chrome and Firefox, for example, parses this is host 127.0.0.1, path /, fragment #@evil.com.

If the code does want to support username/password, it should do a custom opener (with basic HTTP authentication) instead.