Firefox - URL Source Destination Issue (updatebox - event)

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
a year ago
a year ago

People

(Reporter: Benjamin Kunz Mejri, Unassigned)

Tracking

48 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160823121617

Steps to reproduce:

<html>
<body>
<div id="mydiv"
onmouseover="document.location='http://vulnerability-lab.com';"
style="position:absolute;width:2px;height:2px;background:#FFFFFF;border:0px"></div>
<script>
function updatebox(evt) {
mouseX=evt.pageX?evt.pageX:evt.clientX;
mouseY=evt.pageY?evt.pageY:evt.clientY;
document.getElementById('mydiv').style.left=mouseX-1;
document.getElementById('mydiv').style.top=mouseY-1;
}
</script>
<a href="http://www.google.com" onclick="updatebox(event)"><font
style="font-family:arial;font-size:32px">Visit google.com</font></a><br>
</div>
</body>
</html>


Actual results:

The original source of the url is hidden during the event onclick updatebox.


Expected results:

the original source or destination event should be visible or included to the bar to prevent exploitation or misuse.

Comment 1

a year ago
There is no way for Firefox to predict what location the mouseover will send the user to, so there is no way to make it "visible or included to the bar" (assuming you mean the status tooltip that appears at the bottom left/right indicating the target of a link). The same problem is reproducible on Chrome on Windows, and probably in other browsers depending on timing. The correct URL is displayed in the location bar at all times.

This type of trick is well-known as being possible also (and more reliably) with e.g. a mousedown handler on the link that then changes its href (or simply sets window.location). It's not something against which the browser as a whole can do much without breaking real websites. As a result, marking invalid (cantfix/notabug).
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.