URL Spoofing via onclick

RESOLVED INVALID

Status

()

Firefox
Security
--
critical
RESOLVED INVALID
8 years ago
8 years ago

People

(Reporter: Chris, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

Same old story, hover over a link to see the status bar or check the properties of the link to see that it suggests the target is one place, but in reality the link will lead elsewhere.

Reproducible: Always

Steps to Reproduce:
<a href='1' onclick=this.href='2'>LINK</a>
Actual Results:  
The onclick function updates the href, but this is not reflected by the status bar or link properties.
That's just the way the web works, and it's the same in all browsers. If scripting is allowed then anything can happen at any time (and it doesn't have to be obvious like an onclick attribute right on the element, the event handler could be somewhere else).
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

8 years ago
To be honest, I expected that this is as good as unfixable. Either that or we're talking of breaking a lot of scripting techniques. Trust of the browser session is quite important indeed, but I guess the average user does not even look at the status bar whilst hovering over a link.
You need to log in before you can comment on or make changes to this bug.