I consider to setup a server to deal with URLs including email address such as
http://mydomain.com/me@mail.com
According to RFC 3986, I userstand @ is reserved on authority part = //mydomain.com/, but unreserved on path part /......., so currently I assume it's ok to use email address on pass.
Having said that, I still not sure if it is safe to use like http://mydomain.com/me@mail.com on production.
Please advise. Thanks.
It's fine—your interpretation of the RFC is correct, and there's no "risk" (in terms of browsers doing the wrong thing) for using an @ in the URI portion.