The vulnerability still lies within the browser in this scenario. It should actually be somewhat trivial for all the major browsers to prevent this sort of attack.

This is obsolete functionality, I can't remember the last time I needed to authenticate to a website using the username@domainname.tld functionality. It should be something hidden behind a config: setting to turn on if you run into a legacy website still requiring it and know exactly what you're doing.