phishing, link manipulated with javascript
Categories
(Core :: DOM: Core & HTML, defect, P5)
Tracking
()
People
(Reporter: mrclone, Unassigned)
References
Details
(Keywords: csectype-spoof)
Comment 1•20 years ago
|
||
Comment 2•20 years ago
|
||
Comment 3•19 years ago
|
||
Comment 4•19 years ago
|
||
Updated•18 years ago
|
Updated•15 years ago
|
Updated•12 years ago
|
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Updated•2 years ago
|
Comment 12•2 years ago
|
||
Issues in DOM tree https://dom.spec.whatwg.org & HTML https://html.spec.whatwg.org that do not fit into any other DOM or HTML component or which span multiple DOM or HTML components.
This bug shows a violation in the WHATWG HTML specification 15.7.1 (https://html.spec.whatwg.org/multipage/rendering.html#links,-forms,-and-navigation) and so while it is 'just the way the web works' it is a necessary change to the browser in order to maintain compliance with the standards. (See bug 1805585)
This can be fixed by not allowing JavaScript to arbitrarily change navigation links as they are clicked.
- Create a cached copy of the clicked link destination and navigate there (so that JavaScript cannot change the destination)
- Clicking a link causes the browser to navigate to the page before any JavaScript can run
Comment 13•2 years ago
|
||
(In reply to cc.bugreporting from comment #12)
Issues in DOM tree https://dom.spec.whatwg.org & HTML https://html.spec.whatwg.org that do not fit into any other DOM or HTML component or which span multiple DOM or HTML components.
This bug shows a violation in the WHATWG HTML specification 15.7.1 (https://html.spec.whatwg.org/multipage/rendering.html#links,-forms,-and-navigation)
How? That section is not normative, to begin with. The spec sections that specify this is this and this and this and this, and more in particular this, which works as defined in the spec afaict.
This can be fixed by not allowing JavaScript to arbitrarily change navigation links as they are clicked.
- Create a cached copy of the clicked link destination and navigate there (so that JavaScript cannot change the destination)
- Clicking a link causes the browser to navigate to the page before any JavaScript can run
What does "as they are clicked" mean? After mousedown? After mouseup? What if js does link.click()? Even if you did that somehow in a well defined way that didn't break the web, JS could still preventDefault()
the navigation and run window.open()
instead, bypassing all this mechanism altogether.
This just doesn't seem particularly fixable, as described. The only potential "fix" I can think of is some kind of prompt that did something like, if the link was modified in the last 100ms (or so?), confirm that the user wants to go to the target URI? Still rather annoying for the end user, tho, and again won't fix the window.open() case.
Description
•