It's possible to spoof domain by using %sF in URL's username: http://secretcookie.com%[email protected]/
vulners.com/securityvulns/securityvulns:doc:3451
vulners.com/securityvulns/securityvulns:doc:3466