Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
student_it2016-09-05 21:44:52
JavaScript
student_it, 2016-09-05 21:44:52

href substitution when handling the onclick event. Is this a browser security issue?

Today I needed to make sure that after clicking on a link, its address changes to another one, so that when you click again, you can already go to it. And all of a sudden it didn't work the way I imagined it would, and could be a great opportunity for spammers, scammers, and other bad people.
Initially, the link itself looked like this
<a href="#mail">E-mail</a>
. A click on the link was processed with something like this code:

function email_clicked()
{
      this.href = "mailto:[email protected]";
      return true;
}

When I tried to click on the link, I found that the transition was already taking place at the spoofed address. That is, I click on one link, and it throws me to another.
This means that some bad person can make a link that supposedly leads to a safe site, but when clicked, it redirects to a site with ads or viruses. Googling on this topic, I found out that this loophole has been known since 2009. (This is somewhat similar to the situation with window.opener).
Question: is this (from the point of view of browser developers) a vulnerability, a bug, or is it "by design" and "it should be so, it cannot be fixed"?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
X
xmoonlight, 2016-09-05
@xmoonlight

That's what the onclick event is for, so that at the moment of clicking, handle this click as necessary. This is not a vulnerability, but a regular js code.
You can make a bunch of such links, but sooner or later such a site will be completely without visitors, and a couple of user complaints about a suspicious website (through a browser) will reduce its attendance to absolute zero.
So: yes - it's possible, yes - this is not a vulnerability or a bug, BUT - it's better not to do this and not mislead users.

Report
B
boodda, 2016-09-05
@boodda

This is how you put it "by design".

Report
I
imdeveloper, 2016-09-05
@link_web

This is usually done by those who want to make money on ads for clicks

Similar questions
V
Valeriu Vodnicear2016-06-07 20:59:31
How to free port 80 so that OpenServer works? 3Reply
R
Romi2021-03-22 23:42:55
Is there an analogue of Macromedia/Adobe Fireworks in Ubuntu/Linux? 7Reply
T
The Dragger2015-04-03 11:25:21
Which image upload for Yii would you recommend? 4Reply
R
Rain Summers2015-04-07 12:24:11
phpstorm. How to disable non-disabled "Inspections: cannot resolve file"? 5Reply
I
iSensei2014-05-09 17:40:23
Title in Tooltip on Bootstrap 3? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question