Why do browsers allow onmousedown JS to change href?

徘徊边缘 提交于 2019-12-02 18:38:21

I agree that there is potential here for phishing. This was reported as a bug in FireFox quite a long time ago, but the problem is this:

<body onmousedown="document.getElementById('changeMe').href='www.somewhereelse.com'">
    <a id="changeMe" href="www.google.com">google</a>
</body>

Events bubble up to their parent, you would need to detect if an onmousedown event was going to change the href of a child element. Sounds reasonable? Okay, how about this:

<script>
    function switcher() {
       window.location = "www.somewhereelse.com";
       return false;
    }
</script>
<body onmousedown="switcher()">
    <a href="www.google.com">google</a>
</body>

So we need to look out for window.location in functions triggered by onmousedown events as well. Still sound reasonable? How about if I have the onmousedown event remove the link altogether, replace it with a new element and then trigger the click on that. I can keep coming up with examples.

The point is, Javascript can be used to misdirect people using the status bar - you shouldn't trust it, you can only trust the URL.

To change this browsers would need to give the set href value on a link at the time of the click presidency over any other events that might happen, basically disable mouse events on anchor tags. I would venture to guess they probably won't do this, it would break too many applications that already exist.

Edit: Alternatively, I've seen people propose different methods of detecting and warning the user about possible link hijacking, but I've not seen any implemented yet.

The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless.

If by "check" you mean the link 'preview' browsers show at the bottom status bar then you are correct. That is not enough to check whether a link really goes where it claims to be going. For instance, running the jquery script below on a page will cause all link to go to google.com regardless of what the actual href target of the link is:

$('a').click(function(evt){evt.preventDefault();window.location.href="http://google.com"})

Can't phishing websites misuse this?

Not really, because facebook is where the said javascript would have to be called from. The user has to go an untrusted source in the first place who would embed the javascript in the tag.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!