EmployeeNumber8 Posted March 20, 2013 Share Posted March 20, 2013 Browser makers need to fix this Hacking the <a> tag in 100 characters Quote Link to comment Share on other sites More sharing options...
Ezelia Posted March 20, 2013 Share Posted March 20, 2013 Information shown on status bar is not secure in any way there are other ways to do that by overriding onunload event or event by overriding the statusbar text content in some old browsers since the browser still shows the real url on navigation bar, there is no security issue here this would be a hack if it was able to hide the target adress bar ... Quote Link to comment Share on other sites More sharing options...
EmployeeNumber8 Posted March 20, 2013 Author Share Posted March 20, 2013 Yeah I don't know. I think to better protect end users, all of those cases should raise an error, or just be ignored. I don't know what it says in the spec, but there simply shouldn't be any way to retarget your destination, unless you actually click on something else.At least that's how I'd implement it. Quote Link to comment Share on other sites More sharing options...
remvst Posted March 20, 2013 Share Posted March 20, 2013 As long as you can execute Javascript when clicking on a link, there's no need to change the href attribute, window.open() or window.location can already do the same job. Quote Link to comment Share on other sites More sharing options...
EmployeeNumber8 Posted March 20, 2013 Author Share Posted March 20, 2013 As long as you can execute Javascript when clicking on a link, there's no need to change the href attribute, window.open() or window.location can already do the same job. but the question is this... Does it pose a security risk? If so, should it be fixed, or is just by design? Quote Link to comment Share on other sites More sharing options...
remvst Posted March 20, 2013 Share Posted March 20, 2013 but the question is this... Does it pose a security risk? If so, should it be fixed, or is just by design?Well, it's a security risk when moving from an HTTPS website to a normal website. Though, HTTPS websites shouldn't have that kind of issues. Anyway, many websites are using this feature for their own navigation (Quakelive, for instance, makes intensive use of it). I highly doubt browsers will do anything about it, but I would love to be proven wrong Quote Link to comment Share on other sites More sharing options...
Ezelia Posted March 20, 2013 Share Posted March 20, 2013 There is no security risk in that behaviour, when you navigate to the target page you see the real URL you navigated to in the adress bar Quote Link to comment Share on other sites More sharing options...
benny! Posted March 21, 2013 Share Posted March 21, 2013 Well,its a nice thought.However I think the browserimplementation is by design and this is good IMHO. Its the behaviour I expected when dealing with click events on dom elements.So browser implementation must stay that way.You should not start to implement too many exceptions from the rule in the core of the browser.There could be lots of use cases which uses this technique with no malicious background.Still,I got your point. This may be used by some phishing sites and/or cross domain scripts.So maybe an anti phishing software could alert the user when the href value differs from the page to load. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.