Closed
Bug 605478
Opened 14 years ago
Closed 14 years ago
URL Spoofing via onclick
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: the_l0st_s0ul, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Same old story, hover over a link to see the status bar or check the properties of the link to see that it suggests the target is one place, but in reality the link will lead elsewhere. Reproducible: Always Steps to Reproduce: <a href='1' onclick=this.href='2'>LINK</a> Actual Results: The onclick function updates the href, but this is not reflected by the status bar or link properties.
Comment 1•14 years ago
|
||
That's just the way the web works, and it's the same in all browsers. If scripting is allowed then anything can happen at any time (and it doesn't have to be obvious like an onclick attribute right on the element, the event handler could be somewhere else).
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
To be honest, I expected that this is as good as unfixable. Either that or we're talking of breaking a lot of scripting techniques. Trust of the browser session is quite important indeed, but I guess the average user does not even look at the status bar whilst hovering over a link.
You need to log in
before you can comment on or make changes to this bug.
Description
•