Ok, but this is a problem that can be solved with a tiny patch that won't break anything: disallow HTTP basic auth embedded in URLs if any character codepoint is > 127. Require a pop up to enter the user/pass or just give an error about an invalid URL.

Unicode characters here should definitely need to be explicitly encoded as base64 for the Authorization header.

Anyone who *needs* this to work with Unicode characters can piss off. I'm willing to bet the RFCs don't have any MUST or SHOULD that mention non-ASCII characters be allowed here.

Tada, we fixed it and everyone can put down their keyboards and stop crying about new TLDs