Closed
Bug 705153
Opened 13 years ago
Closed 12 years ago
Link target can be spoofed (Links on Facebook)
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 257307
People
(Reporter: jidanni, Unassigned)
References
()
Details
User Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0a2) Gecko/20111118 Firefox/10.0a2 Iceweasel/10.0a2
Build ID: 20111118042017
Steps to reproduce:
Thought I copied the link location, http://lyrics.wikia.com/Lord_Finesse:Hey_Look_At_Shorty
Actual results:
Well, when one actually clicks the link, one finds that that is not the REAL link location, http://www.facebook.com/l.php?u=http%3A%2F%2Flyrics.wikia.com%2FLord_Finesse%3AHey_Look_At_Shorty&h=Hzzzzpw5sAQF2trxZX-41BN1TuzzzzzYsF8GXzzzzzz1igw
Expected results:
There should be a second menu item appearing in this case, "copy REAL link location", else well, you are helping websites fool users... same with link previews... they need to show both "real and fake locations".
OK, one can say "well we can't execute every sites' javascript external link tracker code for every link even before they click it... too fancy. Install ... add-on if you need to be warned each time, or hit view source selection"...
"Besides, the average user doesn't care if it is not a 'direct' link."
In that case just mark this WONTFIX.
Comment 1•13 years ago
|
||
(In reply to jidanni from comment #0)
> User Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0a2) Gecko/20111118
> Firefox/10.0a2 Iceweasel/10.0a2
> Build ID: 20111118042017
>
> Steps to reproduce:
>
> Thought I copied the link location,
> http://lyrics.wikia.com/Lord_Finesse:Hey_Look_At_Shorty
>
>
> Actual results:
>
> Well, when one actually clicks the link, one finds that that is not the REAL
> link location,
> http://www.facebook.com/l.php?u=http%3A%2F%2Flyrics.wikia.
> com%2FLord_Finesse%3AHey_Look_At_Shorty&h=Hzzzzpw5sAQF2trxZX-
> 41BN1TuzzzzzYsF8GXzzzzzz1igw
>
>
>
> Expected results:
>
> There should be a second menu item appearing in this case, "copy REAL link
> location", else well, you are helping websites fool users... same with link
> previews... they need to show both "real and fake locations".
Pretty sure there is an open bug about that one already
>
> OK, one can say "well we can't execute every sites' javascript external link
> tracker code for every link even before they click it... too fancy. Install
> ... add-on if you need to be warned each time, or hit view source
> selection"...
>
> "Besides, the average user doesn't care if it is not a 'direct' link."
>
> In that case just mark this WONTFIX.
I am confused as to the exact issue. Can you put together a simple HTML page that shows the issue? How does Firefox know what the REAL link location is?
Reporter | ||
Comment 2•13 years ago
|
||
Just examine common external links on Facebook, e.g., making the above innocent link actually produces this boobytraped link,
<a xmlns="http://www.w3.org/1999/xhtml" onmousedown='UntrustedLink.bootstrap($(this), "jAQFYwvwmmmmmmmmmmmmCQxBkkIXsx4zSki1Cmd2GnPamNQ", event, bagof(null));' rel="nofollow" target="_blank" href="http://lyrics.wikia.com/Lord_Finesse:Hey_Look_At_Shorty">Lord Finesse:Hey Look At Shorty</a>
which successfully fools a default Firefox installation into giving the user _no signal_ that he is actually about to go on a javascript trip somewhere else! No matter how he hovers or probes with Copy Link Location, reality only sets in once he clicks the link.
Updated•13 years ago
|
Status: UNCONFIRMED → NEW
Component: Menus → Security
Ever confirmed: true
OS: Linux → All
QA Contact: menus → firefox
Hardware: x86 → All
Summary: add "copy REAL link location" → Link target can be spoofed
Version: 10 Branch → Trunk
Updated•13 years ago
|
Summary: Link target can be spoofed → Link target can be spoofed (Links on Facebook)
Comment 3•13 years ago
|
||
It looks as if these bugs are being marked duplicate of bug 229050; Not marking as such as there may be better solutions.
Reporter | ||
Comment 4•13 years ago
|
||
Same problem in chromium: http://code.google.com/p/chromium/issues/detail?id=4583
Comment 5•13 years ago
|
||
This is how the web works. Scripts can redirect the browser to another page on click.
Or else script initiating drop down menus would probably fail on most sites if any browser (1) prevented the redirect, (2) ignore the onclick.
Showing the actual url would not be feasible because (1) requires pre-parsing of javascript code and reversing the side effects = complex code (2) if the onclick fetched the actual url via an synchronous ajax call, pre-parsing would request the page, and it would block the browser before the tooltip was shown. Also the website would know which links you hovered over if they decided to implement such a tracking technique. (although can be accomplished otherwise more easily)
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•