为什么浏览器允许onmousedown JS改变href?
我很长时间以来都注意到,当您尝试复制链接位置或在 Facebook 上打开链接时,它会修改链接并通过 l.php 传递它。
例如,
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.google.com%2F&h=DKVUritNDJDJLDLVbldoDLFKBLOD5dlfDJY_-d3fgDUaA9b
即使我的浏览器将链接预览呈现为 http://www.google.com/,我也可能会被发送到。
今天,我使用 Firebug 仔细观察,发现 Facebook 将 onmousedown="UntrustedLink.bootstrap($(this)[...] 放在 中当我右键单击该链接时,我看到 Firebug 中的 href 属性发生了变化,
担心。
这让我很 你在点击之前你不会成为网络钓鱼的受害者)现在似乎已经变得毫无用处了,这不是一个安全风险吗?
为什么浏览器不通过禁止 onmousedown 更改 href 或在读取 href 属性之前运行 javascript,这样我就会被发送到我认为要去的位置,而不是更改时的位置我点进去了?
编辑:我想简单强调一下,比网络钓鱼风险更让我困扰的是用户被误导,我觉得这种情况发生是错误的,无论来源是否可信。
I've noticed for a very long time that when you try to copy a link location or open a link on Facebook, it modifies the link and passes it through l.php.
For example, I can be sent to
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.google.com%2F&h=DKVUritNDJDJLDLVbldoDLFKBLOD5dlfDJY_-d3fgDUaA9b
even though my browser render the link preview as http://www.google.com/.
Today, I took a closer look using Firebug and found that Facebook puts onmousedown="UntrustedLink.bootstrap($(this)[...] in the <a> tag. The second I right clicked the link, I saw the href attribute change in Firebug.
This worries me.
The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless. Isn't this a security risk? Can't phishing websites misuse this?
Why don't browsers prevent this behavior either by disallowing onmousedown to change the href or by running the javascript before reading the href attribute, so that I am sent to the location I thought I going to, not the one change while I was clicking it?
Edit: I want to briefly emphasize that what bothers me more than the risk of phishing is that users are being misled and it simply feels wrong to me that this can happen, whether by a trusted source or not.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我同意这里存在网络钓鱼的可能性。很久以前,这被报告为 FireFox 中的错误,但问题是是这样的:
事件冒泡到其父元素,您需要检测 onmousedown 事件是否要更改子元素的 href。听起来有道理吗?好的,这样怎么样:
所以我们还需要在 onmousedown 事件触发的函数中查找
window.location。听起来还合理吗?如果我让 onmousedown 事件完全删除链接,用新元素替换它,然后触发对该链接的单击,怎么样?我可以继续举出例子。关键是,Javascript 可以用来误导使用状态栏的人 - 你不应该相信它,你只能相信 URL。
要更改此浏览器需要在单击主席时在可能发生的任何其他事件上给链接设置 href 值,基本上禁用锚标记上的鼠标事件。我大胆猜测他们可能不会这样做,这会破坏太多已经存在的应用程序。
编辑:或者,我看到人们提出了不同的方法来检测和警告用户可能的链接劫持,但我还没有看到任何实施。
I agree that there is potential here for phishing. This was reported as a bug in FireFox quite a long time ago, but the problem is this:
Events bubble up to their parent, you would need to detect if an onmousedown event was going to change the href of a child element. Sounds reasonable? Okay, how about this:
So we need to look out for
window.locationin functions triggered by onmousedown events as well. Still sound reasonable? How about if I have the onmousedown event remove the link altogether, replace it with a new element and then trigger the click on that. I can keep coming up with examples.The point is, Javascript can be used to misdirect people using the status bar - you shouldn't trust it, you can only trust the URL.
To change this browsers would need to give the set href value on a link at the time of the click presidency over any other events that might happen, basically disable mouse events on anchor tags. I would venture to guess they probably won't do this, it would break too many applications that already exist.
Edit: Alternatively, I've seen people propose different methods of detecting and warning the user about possible link hijacking, but I've not seen any implemented yet.
如果“检查”是指浏览器底部状态栏显示的“预览”链接,那么您是对的。这不足以检查链接是否真正到达其声称的位置。例如,在页面上运行下面的 jquery 脚本将导致所有链接都转到 google.com,无论链接的实际 href 目标是什么:
If by "check" you mean the link 'preview' browsers show at the bottom status bar then you are correct. That is not enough to check whether a link really goes where it claims to be going. For instance, running the jquery script below on a page will cause all link to go to google.com regardless of what the actual href target of the link is:
不是真的,因为 Facebook 是必须调用上述 javascript 的地方。用户必须首先访问不受信任的来源,将 JavaScript 嵌入到标签中。
Not really, because facebook is where the said javascript would have to be called from. The user has to go an untrusted source in the first place who would embed the javascript in the tag.