Closed
Bug 43791
Opened 24 years ago
Closed 23 years ago
Display un-spoofable URLs on link mouseover
Categories
(Core :: Security, defect, P1)
Core
Security
Tracking
()
Future
People
(Reporter: wwsmurf, Assigned: security-bugs)
Details
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; Creative) BuildID: n/a It is perhaps not such a good idea to have urls pop up on the status bar, as that is meant to be controllable by javascript. It is perhaps better as a security option if one has urls which pop-up as you go over the urls, as opera does well. The advantage is that these are not controllable by scripting. You can be sure that what you see is what is there. . . always.
Assignee | ||
Comment 1•24 years ago
|
||
You're right, this is a potential source of spoofing, and popups would be nice. However, I think tradition prevails here; Netscape has always used the status bar this way. I believe the risk is minimal; an annoyance perhaps. Not enough to justify a change like this right now. Marking WONTFIX, but I will keep my eye out for spoofing attacks involving the status bar.
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → WONTFIX
Assignee | ||
Comment 3•23 years ago
|
||
Reopening; I'd like to put this back on the radar. It sems to me that being able to replace the URL displayed in the status bar, using script, is a contributing factor to a lot of exploits. I'd like to consider a few alternate ideas: 1) Display both the mouseover'd URL and the script controlled window.status separately in the statusbar, so one does not overwrite the other. We'd have to keep very long status messages or URLs from being able to take over the whole space. 2) Use pop-up links (like tooltips). This would be a major change to our look-and-feel, though. Both of these have problems, but I think the issue is worth considering. Changing description.
Severity: trivial → normal
Status: VERIFIED → UNCONFIRMED
Priority: P3 → P1
Resolution: WONTFIX → ---
Summary: pop-up urls, a la cello or opera, are a powerful security feature → Display un-spoofable URLs on link mouseover
Target Milestone: --- → Future
Assignee | ||
Updated•23 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Comment 4•23 years ago
|
||
I don't think it's really feasable to fix this problem. If a web page really wanted to spoof a link using javascript, it could change the URL of the link as soon as you mousedown on the link, or have an onclick handler redirect you to another page and return false.
Comment 5•23 years ago
|
||
> It is perhaps not such a good idea to have urls pop up on the status bar, > as that is meant to be controllable by javascript. Heh. I'm pretty sure URLs were appearing in the status bar years before JavaScript was even invented. I think this is effectively a duplicate of bug 83578. If all Web-page-provided status text looks different from Mozilla-provided status text, then spoofed link URLs will look different from real link URLs. You won't know the real URL, but you'll at least know that the URL shown is a fake.
URL: n/a
Hardware: PC → All
Assignee | ||
Comment 6•23 years ago
|
||
OK, seeing as there's no real way to make links unspoofable, just making script-set status text bold is probably the best we can do. *** This bug has been marked as a duplicate of 83578 ***
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 23 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•