Closed
Bug 43791
Opened 25 years ago
Closed 23 years ago
Display un-spoofable URLs on link mouseover
Categories
(Core :: Security, defect, P1)
Core
Security
Tracking
()
Future
People
(Reporter: wwsmurf, Assigned: security-bugs)
Details
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; Creative)
BuildID: n/a
It is perhaps not such a good idea to have urls pop up on the status bar,
as that is meant to be controllable by javascript. It is perhaps better as a
security option if one has urls which pop-up as you go over the urls, as opera
does well. The advantage is that these are not controllable by scripting. You
can be sure that what you see is what is there. . . always.
|
Assignee | |
Comment 1•25 years ago
|
||
You're right, this is a potential source of spoofing, and popups would be nice.
However, I think tradition prevails here; Netscape has always used the status bar
this way. I believe the risk is minimal; an annoyance perhaps. Not enough to
justify a change like this right now. Marking WONTFIX, but I will keep my eye out
for spoofing attacks involving the status bar.
Status: UNCONFIRMED → RESOLVED
Closed: 25 years ago
Resolution: --- → WONTFIX
|
|
Assignee | |
Comment 3•24 years ago
|
||
Reopening; I'd like to put this back on the radar. It sems to me that being able
to replace the URL displayed in the status bar, using script, is a contributing
factor to a lot of exploits. I'd like to consider a few alternate ideas:
1) Display both the mouseover'd URL and the script controlled window.status
separately in the statusbar, so one does not overwrite the other. We'd have to
keep very long status messages or URLs from being able to take over the whole space.
2) Use pop-up links (like tooltips). This would be a major change to our
look-and-feel, though.
Both of these have problems, but I think the issue is worth considering.
Changing description.
Severity: trivial → normal
Status: VERIFIED → UNCONFIRMED
Priority: P3 → P1
Resolution: WONTFIX → ---
Summary: pop-up urls, a la cello or opera, are a powerful security feature → Display un-spoofable URLs on link mouseover
Target Milestone: --- → Future
|
|
Assignee | |
Updated•24 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
||
Comment 4•24 years ago
|
||
I don't think it's really feasable to fix this problem. If a web page really
wanted to spoof a link using javascript, it could change the URL of the link as
soon as you mousedown on the link, or have an onclick handler redirect you to
another page and return false.
|
||
Comment 5•23 years ago
|
||
> It is perhaps not such a good idea to have urls pop up on the status bar,
> as that is meant to be controllable by javascript.
Heh. I'm pretty sure URLs were appearing in the status bar years before
JavaScript was even invented.
I think this is effectively a duplicate of bug 83578. If all Web-page-provided
status text looks different from Mozilla-provided status text, then spoofed
link URLs will look different from real link URLs. You won't know the real URL,
but you'll at least know that the URL shown is a fake.
URL: n/a
Hardware: PC → All
|
|
Assignee | |
Comment 6•23 years ago
|
||
OK, seeing as there's no real way to make links unspoofable, just making
script-set status text bold is probably the best we can do.
*** This bug has been marked as a duplicate of 83578 ***
Status: ASSIGNED → RESOLVED
Closed: 25 years ago → 23 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•