Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
student_it2016-09-05 21:44:52
JavaScript
student_it, 2016-09-05 21:44:52

href substitution when handling the onclick event. Is this a browser security issue?

Today I needed to make sure that after clicking on a link, its address changes to another one, so that when you click again, you can already go to it. And all of a sudden it didn't work the way I imagined it would, and could be a great opportunity for spammers, scammers, and other bad people.
Initially, the link itself looked like this
<a href="#mail">E-mail</a>
. A click on the link was processed with something like this code:

function email_clicked()
{
      this.href = "mailto:[email protected]";
      return true;
}

When I tried to click on the link, I found that the transition was already taking place at the spoofed address. That is, I click on one link, and it throws me to another.
This means that some bad person can make a link that supposedly leads to a safe site, but when clicked, it redirects to a site with ads or viruses. Googling on this topic, I found out that this loophole has been known since 2009. (This is somewhat similar to the situation with window.opener).
Question: is this (from the point of view of browser developers) a vulnerability, a bug, or is it "by design" and "it should be so, it cannot be fixed"?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
X
xmoonlight, 2016-09-05
@xmoonlight

That's what the onclick event is for, so that at the moment of clicking, handle this click as necessary. This is not a vulnerability, but a regular js code.
You can make a bunch of such links, but sooner or later such a site will be completely without visitors, and a couple of user complaints about a suspicious website (through a browser) will reduce its attendance to absolute zero.
So: yes - it's possible, yes - this is not a vulnerability or a bug, BUT - it's better not to do this and not mislead users.

Report
B
boodda, 2016-09-05
@boodda

This is how you put it "by design".

Report
I
imdeveloper, 2016-09-05
@link_web

This is usually done by those who want to make money on ads for clicks

Similar questions
K
Kagtaviy2016-06-10 17:22:58
How to solve query problem in mysql golang? 3Reply
C
CanterGhost2018-11-10 01:31:28
WiFi module on HP pavilion 15 n060sr, what can I replace it with? 2Reply
T
thatmaniscool2022-01-16 20:49:49
Is it possible to override a Java 11 anonymous class method? 2Reply
G
Grandma Luda2021-03-26 10:22:15
When creating an oval on a canvas I can move the oval, but when I create a second oval I can't move the first oval only the second one? 2Reply
R
Ramzich2022-01-21 22:05:00
Hello everyone, how can I implement a POST/search method that returns data from a Json file with a delay of 60 seconds for example? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question