M Hickford <mirth.hickford@xxxxxxxxx> writes: > In order to nudge users towards more secure practices (namely, > using a credential helper), would anyone else be in favour of > changing transfer.credentialsInUrl to default to "warn"? I personally do not have a problem with the proposal, but it is curious that it is documented as inspecting only .URL and .pushURL is not checked. So, in addition to "once we start warning by default, we'd need an advice message to tell the users how to turn it off" Derrick says in the commit log message, we would probably want to see if we should/can cover .pushURL and need necessary updates before it happens. Thanks.
