Closed Bug 340792 Opened 19 years ago Closed 17 years ago

visually mark URLs where the HREF differs from the URL text and ask for confirmation before opening them

Categories

(SeaMonkey :: MailNews: Message Display, enhancement)

Product:
SeaMonkey
Component:
MailNews: Message Display
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jochen, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060305 SeaMonkey/1.0 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060305 SeaMonkey/1.0 Many spam mails contain URLs of the form <a href="http://spammer.site.com/">http://trusted.site.com/</a>. MailNews should display such URLs in another color. Also images linking to some external site should be marked. Furthermore, when a user clicks on such a link, a confirmation dialog should inform about the fact that the link target potentially differs from the link text. Reproducible: Always
hmm, but what about <a href="http://spammer.site.com/">trusted site</a> or <a href="http://untrustedsite.com/">http://<span style="display:none">un</span>trustedsite.com</a> I think the phishing detector already picks up some of the things you're suggesting.
Version: unspecified → Trunk
Also, what about <a href="http://www.mozilla.com/">Firefox &amp; Thunderbird</a> ? Or, <a href="http://www.spammer.com/" style="color:#0000FF !important; text-decoration:underline !important">http://www.trustedsite.com/</a> Before any work gets done on such an "enhancement", we need to determine computer-usable criteria for when to use "normal" links and when to use "warning" links; and in this case I'm not sure such criteria can be found.
How about an option to display <a href="url">text</a> always as "url"? In the stripped-html mode, the layout is broken anyway..
(In reply to comment #3) > How about an option to display <a href="url">text</a> always as "url"? In the > stripped-html mode, the layout is broken anyway.. > What about: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=340792">bug 340792</a> <a href="#">Go to top</a> <a href="http://ftp.mozilla.org/pub/mozilla.org/seamonkey/nightly/latest-trunk/">Download the latest suiterunner nightly</a> or even <a href="mailto:ajschult@verizon.net>Andrew Schultz</a> Would you really display the href text rather than the <a> tag contents (which are valid from a human point of view, but from a computer's POV they are "different from the URL and therefore broken")? Beware of "too much of a good thing".
oops: my last example should have an additional quote, of course.
At least in thunderbird the scam detection will warn you if the link text looks like an url, but leads to another place than the url. (Warning on top of the msg and a confirmation dialog when you click it.)
If it's a text message (which i prefer anyway), it looks like this. Or even worse, when the URL contains a cookie. But I really prefer that. Alternatively, I could imagine something like a footnote: Go get the latest firefox[1] and thunderbird[2]. [1] http://download.microsoft.com/ie [2] http://download.microsoft.com/outlook
Assignee: mail → nobody
QA Contact: message-display
If you want you can use plain text view. HTML mails can look whatever they like anyway, and and "visual distinction" would just be asking for a scamming loop. ("No, this mail is not a scam, try the link on the bottom...") The confirmation we already do. I really think this should be wontfix.
(In reply to comment #8) [...] > I really think this should be wontfix. Well, who can decide this (for or against)?
OS: Linux → All
Hardware: PC → All
I agree with the WONTFIX as I don't think there's any variant that allows usual HTML display for normal stuff and at the same time non-easily-spoofable phishing protection. This is really a problem of HTML mail that is built into how HTML mail works. If someone shows us a well-working example of how to do that in a useful way that doesn't intrude in the display of useful, non-phishing HTML mail and that is not easily spoofable, I think both Thunderbird and SeaMonkey would be happy to integrate it, but I don't see this bug going there.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
(In reply to comment #10) Robert Kaiser <kairo@kairo.at> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED > I agree with the WONTFIX [...] er, Robert, I guess you were distracted there.
Resolution: FIXED → WONTFIX
You need to log in before you can comment on or make changes to this bug.