Last Comment Bug 212375 - Show the target URL of a link even despite JS
: Show the target URL of a link even despite JS
Status: NEW
:
Product: Core
Classification: Components
Component: Document Navigation (show other bugs)
: Trunk
: x86 Linux
: -- enhancement with 4 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
data:text/html,<a href="Click: www.go...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-07-10 23:33 PDT by Ben Bucksch (:BenB)
Modified: 2009-06-15 09:42 PDT (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Ben Bucksch (:BenB) 2003-07-10 23:33:20 PDT
If you mouse over a link, you see the href in the status bar. That's good to
know where you'll go when you click on the link. This is important, because I
want to control where I go to :). There may be many reasons to want to know that
- maybe
1. I neither trust the security of Mozilla nor the site where I'll go (but I
mindly trust the site where the link is, e.g. in case of a link collection).
2. Not wanting to leave (log) trails on certain sites
3. Boycotting Amazon ;-)
4. Bug 122445
5. Whatever

So far so good. However, I cannot always trust what I see in the status bar.
First, the site may have overwritten the statusbar text using JS, but I can (and
do) disable that in the prefs. More tricky is when there's a link with JS (either
<a href="javascript:var foo = 'blablabla'; location='somepage.html'">
or
<a href="somepage.html" onclick="location='someotherpage.html'">
). Unfortunately, we cannot block those cases, because that kind of JS abuse is
very common on legitimate sites. But it can also be used to conceal the real URL
for malice purposes.

This bug is about preventing that, to always show the user the URL where he'll
go when he clicks on something (may not even be a <a href>, but a div with
onclick and a blue, underlined style or an image or a form image button).

An intermediate solution could be to display "JavaScript link" when there's an
onclick despite a href.
Comment 1 Ben Bucksch (:BenB) 2003-07-10 23:48:38 PDT
> There may be many reasons to want to know that

I forgot an important case: Email. I may not immediately know, if an email is
spam and just pretending to come from and link to a ligitimate site or if it's real.
Comment 2 Jesse Ruderman 2003-11-02 21:26:28 PST
> An intermediate solution could be to display "JavaScript link" when there's an
> onclick despite a href.

Many onclicks on links are not evil.  For example, Google sponsored links have
an onclick on a div behind a link because they want the whole box to act as a
link.  But the following code shows that an onclick on a div behind a link can
alter the destination of a link:

<div onclick="document.links[0].href = 'http://mozilla.org';">
<a href="http://www.squarefree.com/">Fo</a>
</div>
Comment 3 benc 2004-01-14 10:47:41 PST
This is a good idea. It might work well w/ bug 230910 to reduce the amount of JS
spoofing.
Comment 4 Robert Kaiser 2009-06-14 17:25:26 PDT
MASS-CHANGE:
This bug report is registered in the SeaMonkey product, but has been without a comment since the inception of the SeaMonkey project. This means that it was logged against the old Mozilla suite and we cannot determine that it's still valid for the current SeaMonkey suite. Because of this, we are setting it to an UNCONFIRMED state.

If you can confirm that this report still applies to current SeaMonkey 2.x nightly builds, please set it back to the NEW state along with a comment on how you reproduced it on what Build ID, or if it's an enhancement request, why it's still worth implementing and in what way.
If you can confirm that the report doesn't apply to current SeaMonkey 2.x nightly builds, please set it to the appropriate RESOLVED state (WORKSFORME, INVALID, WONTFIX, or similar).
If no action happens within the next few months, we move this bug report to an EXPIRED state.

Query tag for this change: mass-UNCONFIRM-20090614
Comment 5 Ben Bucksch (:BenB) 2009-06-15 02:24:02 PDT
Moved to Core, but may be Firefox, depending on Gecko API.
Comment 6 Nochum Sossonko [:Natch] 2009-06-15 09:41:18 PDT
Possible spoof testcase in url...

Note You need to log in before you can comment on or make changes to this bug.