Open Bug 212375 Opened 21 years ago Updated 2 years ago

Show the target URL of a link even despite JS

Categories

(Core :: DOM: Navigation, enhancement)

Product:
Core
Component:
DOM: Navigation
Platform:
x86
Linux
Type:
enhancement

Tracking

()

People

(Reporter: BenB, Unassigned)

References

(
URL
)

Details

If you mouse over a link, you see the href in the status bar. That's good to
know where you'll go when you click on the link. This is important, because I
want to control where I go to :). There may be many reasons to want to know that
- maybe
1. I neither trust the security of Mozilla nor the site where I'll go (but I
mindly trust the site where the link is, e.g. in case of a link collection).
2. Not wanting to leave (log) trails on certain sites
3. Boycotting Amazon ;-)
4. Bug 122445
5. Whatever

So far so good. However, I cannot always trust what I see in the status bar.
First, the site may have overwritten the statusbar text using JS, but I can (and
do) disable that in the prefs. More tricky is when there's a link with JS (either
<a href="javascript:var foo = 'blablabla'; location='somepage.html'">
or
<a href="somepage.html" onclick="location='someotherpage.html'">
). Unfortunately, we cannot block those cases, because that kind of JS abuse is
very common on legitimate sites. But it can also be used to conceal the real URL
for malice purposes.

This bug is about preventing that, to always show the user the URL where he'll
go when he clicks on something (may not even be a <a href>, but a div with
onclick and a blue, underlined style or an image or a form image button).

An intermediate solution could be to display "JavaScript link" when there's an
onclick despite a href.
Summary: Show the target URL of a link → Show the target URL of a link even despite JS
> There may be many reasons to want to know that

I forgot an important case: Email. I may not immediately know, if an email is
spam and just pretending to come from and link to a ligitimate site or if it's real.
> An intermediate solution could be to display "JavaScript link" when there's an
> onclick despite a href.

Many onclicks on links are not evil.  For example, Google sponsored links have
an onclick on a div behind a link because they want the whole box to act as a
link.  But the following code shows that an onclick on a div behind a link can
alter the destination of a link:

<div onclick="document.links[0].href = 'http://mozilla.org';">
<a href="http://www.squarefree.com/">Fo</a>
</div>
This is a good idea. It might work well w/ bug 230910 to reduce the amount of JS
spoofing.
Product: Browser → Seamonkey
MASS-CHANGE:
This bug report is registered in the SeaMonkey product, but has been without a comment since the inception of the SeaMonkey project. This means that it was logged against the old Mozilla suite and we cannot determine that it's still valid for the current SeaMonkey suite. Because of this, we are setting it to an UNCONFIRMED state.

If you can confirm that this report still applies to current SeaMonkey 2.x nightly builds, please set it back to the NEW state along with a comment on how you reproduced it on what Build ID, or if it's an enhancement request, why it's still worth implementing and in what way.
If you can confirm that the report doesn't apply to current SeaMonkey 2.x nightly builds, please set it to the appropriate RESOLVED state (WORKSFORME, INVALID, WONTFIX, or similar).
If no action happens within the next few months, we move this bug report to an EXPIRED state.

Query tag for this change: mass-UNCONFIRM-20090614
Status: NEW → UNCONFIRMED
Assignee: general → nobody
Status: UNCONFIRMED → NEW
Component: General → Document Navigation
Product: SeaMonkey → Core
QA Contact: general → docshell
Moved to Core, but may be Firefox, depending on Gecko API.
Possible spoof testcase in url...
URL: data:text/html,<a href="Click: www.go...
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.