Closed
Bug 278242
Opened 20 years ago
Closed 19 years ago
Link location can be spoofed in status bar using onclick
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 229050
People
(Reporter: andrew, Assigned: bugzilla)
Details
As exemplified with the following code: <body onUnload="if(flag)location.href='http://slashdot.org'"> <a href="http://www.google.com" onMouseOver="window.status='test'" onClick="flag=true">testing</a> </body> the location that a link will take you to can be spoofed. The onMouseOver event is there to show that even with the preference to disable scripts from changing status bar text turned off, Firefox doesn't allow this to change the status bar. However, clicking this link will take you to http://slashdot.org, while the status bar will indicate that it will take you to http://www.google.com. This doesn't work in Internet Explorer, as in, it will still take you to http://www.google.com. My guess is that this is due to the order in which the browser responds to the onClick event. Perhaps a tags should not honor onClick events if there is an external URL in the href attribute.
|
||
Comment 1•20 years ago
|
||
tricking is allways easy try: <html> <head><title>Opens mozilla.org in the same window</title> </head> <BODY> <a href="http://www.google.com/" onclick="window.open('http://www.mozilla.org/','_self');return false;" target="_self">Google</a> </BODY> </HTML> or <html> <head><title>Opens mozilla.org in the new window</title> </head> <BODY> <a href="http://www.google.com/" onclick="window.open('http://www.mozilla.org/','somewhere');return false;" target="somewhere">Google</a> </BODY> </HTML> these Work in ALL major browsers !
|
Reporter | |
Comment 2•20 years ago
|
||
I tested your code, and with Firefox, both links end up at mozilla.org, but with IE (latest updates and all), they end up at google.com as advertised in the status bar. I believe this is because IE takes the link click with precedence over the onClick event, which Firefox does not do. I think it should be changed to match IE's behavior.
|
|
||
Comment 3•20 years ago
|
||
(In reply to comment #2) > I tested your code, and with Firefox, both links end up at mozilla.org, but with > IE (latest updates and all), they end up at google.com as advertised in the > status bar. I believe this is because IE takes the link click with precedence > over the onClick event, which Firefox does not do. I think it should be changed > to match IE's behavior. Obviously there is a difference between IE6 under XP and W2k. In W2k/IE6 (both 100% patched) both links end up on Moz.org
|
|
||
Comment 4•20 years ago
|
||
Can't find a dupe (but it may be hidden from the public) OS->All ->NEW ->Major
Severity: normal → major
OS: Windows XP → All
|
|
||
Updated•20 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 5•19 years ago
|
||
I don't think this is something we can really fix. You should only trust the status bar on pages that don't allow untrusted scripts (e.g. most forums). *** This bug has been marked as a duplicate of 229050 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Component: General → Security
Resolution: --- → DUPLICATE
Summary: Link location can be spoofed in status bar → Link location can be spoofed in status bar using onclick
You need to log in
before you can comment on or make changes to this bug.
Description
•