Closed Bug 43791 Opened 24 years ago Closed 23 years ago

Display un-spoofable URLs on link mouseover

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 83578
Milestone:
Future

People

(Reporter: wwsmurf, Assigned: security-bugs)

Details

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; Creative)
BuildID:    n/a

    It is perhaps not such a good idea to have urls pop up on the status bar, 
as that is meant to be controllable by javascript.  It is perhaps better as a 
security option if one has urls which pop-up as you go over the urls, as opera 
does well.  The advantage is that these are not controllable by scripting.  You 
can be sure that what you see is what is there. . . always.
You're right, this is a potential source of spoofing, and popups would be nice. 
However, I think tradition prevails here; Netscape has always used the status bar 
this way. I believe the risk is minimal; an annoyance perhaps. Not enough to 
justify a change like this right now. Marking WONTFIX, but I will keep my eye out 
for spoofing attacks involving the status bar.
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → WONTFIX
won't fix
Status: RESOLVED → VERIFIED
Reopening; I'd like to put this back on the radar. It sems to me that being able
to replace the URL displayed in the status bar, using script, is a contributing
factor to a lot of exploits. I'd like to consider a few alternate ideas:

1) Display both the mouseover'd URL and the script controlled window.status
separately in the statusbar, so one does not overwrite the other. We'd have to
keep very long status messages or URLs from being able to take over the whole space.

2) Use pop-up links (like tooltips). This would be a major change to our
look-and-feel, though.

Both of these have problems, but I think the issue is worth considering.
Changing description.
Severity: trivial → normal
Status: VERIFIED → UNCONFIRMED
Priority: P3 → P1
Resolution: WONTFIX → ---
Summary: pop-up urls, a la cello or opera, are a powerful security feature → Display un-spoofable URLs on link mouseover
Target Milestone: --- → Future
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
I don't think it's really feasable to fix this problem.  If a web page really
wanted to spoof a link using javascript, it could change the URL of the link as
soon as you mousedown on the link, or have an onclick handler redirect you to
another page and return false.
> It is perhaps not such a good idea to have urls pop up on the status bar,
> as that is meant to be controllable by javascript.

Heh. I'm pretty sure URLs were appearing in the status bar years before 
JavaScript was even invented.

I think this is effectively a duplicate of bug 83578. If all Web-page-provided 
status text looks different from Mozilla-provided status text, then spoofed 
link URLs will look different from real link URLs. You won't know the real URL, 
but you'll at least know that the URL shown is a fake.
URL: n/a
Hardware: PC → All
OK, seeing as there's no real way to make links unspoofable, just making
script-set status text bold is probably the best we can do.


*** This bug has been marked as a duplicate of 83578 ***
Status: ASSIGNED → RESOLVED
Closed: 24 years ago23 years ago
Resolution: --- → DUPLICATE
VERIFIED Dupe
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.