Closed Bug 1468727 Opened 6 years ago Closed 6 years ago

Firefox shows the wrong link, causing a security risk

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
60 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1438660

People

(Reporter: coolcat_the_best2, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180517113820

Steps to reproduce:

I created this test page:
https://www.w3schools.com/code/tryit.asp?filename=FSB2DJHIGFTV
What I did was run the example code,  multiple times hover over the created link and then clicked it


Actual results:

when hovering over the link it shows safesite.com
when clicking it, it opens malicioussite.com


Expected results:

When both hovering and clicking the link, it should show or open malicioussite.com

Optionally, a page with the code snippet with both onmouseover and onmouseout on an <a> element that change its own url should maybe be concidered a possibly fraudulent website.
This is not fixable without solving the halting problem. See the duplicate bug, which was resolved wontfix.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
:Gijs You make a good point about the general case, however perhaps you did not try coolcat_the_best2's test code. The first time you click the link, Firefox *does* update the URL preview. It only doesn't on subsequent clicks. But if you have a touchscreen, it updates every time.

This inconsistent behaviour is better addressed by bug #1433319, which I have just updated with some more details based on this testing. I suggest duping to that bug instead.
(In reply to Paul from comment #2)
> :Gijs You make a good point about the general case, however perhaps you did
> not try coolcat_the_best2's test code. The first time you click the link,
> Firefox *does* update the URL preview. It only doesn't on subsequent clicks.
> But if you have a touchscreen, it updates every time.
> 
> This inconsistent behaviour is better addressed by bug #1433319, which I
> have just updated with some more details based on this testing. I suggest
> duping to that bug instead.

Eh, bug 1438660 has specific pointers to what code needs updating, so I've duped both your suggestion and this bug to that one.

That said, I continue to believe that we shouldn't bother attempting to fix this, though not strongly enough to object should someone write a patch.
Thanks, good solution. The great number of reports against this family of issues shows that it does violate the Law of Least Astonishment. Especially the inconsistency.
You need to log in before you can comment on or make changes to this bug.