StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POWhy do browsers allow onmousedown JS to change href?
text
Body
copied!<p>I've noticed for a very long time that when you try to copy a link location or open a link on Facebook, it modifies the link and passes it through <code>l.php</code>. </p> <p>For example, I can be sent to </p> <pre><code> http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.google.com%2F&h=DKVUritNDJDJLDLVbldoDLFKBLOD5dlfDJY_-d3fgDUaA9b </code></pre> <p>even though my browser render the link preview as <code>http://www.google.com/</code>. </p> <p>Today, I took a closer look using Firebug and found that Facebook puts <code>onmousedown="UntrustedLink.bootstrap($(this)[...]</code> in the <code><a></code> tag. The second I right clicked the link, I saw the <code>href</code> attribute change in Firebug.</p> <p>This worries me.</p> <p>The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless. Isn't this a security risk? Can't phishing websites misuse this? </p> <p>Why don't browsers prevent this behavior either by disallowing <code>onmousedown</code> to change the <code>href</code> or by running the javascript before reading the <code>href</code> attribute, so that I am sent to the location I thought I going to, not the one change while I was clicking it?</p> <p><strong>Edit</strong>: I want to briefly emphasize that what bothers me more than the risk of phishing is that users are being misled and it simply feels wrong to me that this can happen, whether by a trusted source or not.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload