usually, owncloud or some other webdav will not under root directory of a website, webdavs://USER@exmaple.com:443/owncloud/remote.php/webdav/ however, kio seems want to stat all the parent directory in that path, with webdavs://USER@exmaple.com:443/ , webdavs://USER@exmaple.com:443/owncloud, and webdavs://USER@exmaple.com:443/owncloud/remote.php ,which results in passing authentication infomation when it's not required. And kdelibs add a new feature (at least since 4.9) about warning if website doesn't require authentication, which is annoying when access webdav based folder. Reproducible: Always Steps to Reproduce: 1. access owncloud's webdav folder in dolphin Actual Results: some dialog jumps out complain about "is this site you really want to access". Expected Results: without such warning.
That is because you have "USER@" in the url while accessing a webserver that does not require authentication. Why do you specify a username in the url? BTW, you can disable this potential spoofing check in kio_http by adding "no-spoof-check=true" to $KDEHOME/share/config/kio_httprc. If you want to only disable it for this particular host, add it under [example.com] section.
Maybe this has to do with the bug, I reported: https://bugs.kde.org/show_bug.cgi?id=323038
It is not kio_webdav that does this but the directory lister that Dolphin uses. KIOslaves like kio_webdav only fulfill the request they receive. They do not perform additional requests on their own.
We cannot remove the spoof check since it was added for security purposes. There are two solutions to this problem: 1.) Do not automatically added your username to the URL you enter in the address bar. 2.) Disable the spoof check for that host by setting the "no-spoof-check" parameter to true in $HOME/.kde/share/config/kio_httprc: [example.com] no-spoof-check=true - Removing the hostname section, [example.com], will make that setting global and disable the URL spoof checking code completely.