为什么浏览器允许onmousedown JS更改href? [英] Why do browsers allow onmousedown JS to change href?
问题描述
很长一段时间以来,我注意到当您尝试复制链接位置或在Facebook上打开链接时,它会修改链接并将其通过l.php传递.
I've noticed for a very long time that when you try to copy a link location or open a link on Facebook, it modifies the link and passes it through l.php.
例如,我可以发送给
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.google.com%2F&h=DKVUritNDJDJLDLVbldoDLFKBLOD5dlfDJY_-d3fgDUaA9b
即使我的浏览器将链接预览呈现为http://www.google.com/.
even though my browser render the link preview as http://www.google.com/.
今天,我仔细研究了Firebug,发现Facebook在<a>标记中放置了onmousedown="UntrustedLink.bootstrap($(this)[...].我第二次右键单击该链接,我看到了Firebug中的href属性更改.
Today, I took a closer look using Firebug and found that Facebook puts onmousedown="UntrustedLink.bootstrap($(this)[...] in the <a> tag. The second I right clicked the link, I saw the href attribute change in Firebug.
这让我担心.
我们中的许多人已经向不那么精通技术的人们提供了建议(在单击之前检查链接将您带到何处,以免您成为网络钓鱼的受害者)现在似乎变得毫无用处.这不是安全风险吗?网络钓鱼网站不能滥用此功能吗?
The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless. Isn't this a security risk? Can't phishing websites misuse this?
为什么浏览器不能通过禁止onmousedown更改href来防止这种行为,或者在读取href属性之前运行javascript来阻止这种行为,这样我就被发送到了以为我要去的位置,不是我单击时所做的一项更改?
Why don't browsers prevent this behavior either by disallowing onmousedown to change the href or by running the javascript before reading the href attribute, so that I am sent to the location I thought I going to, not the one change while I was clicking it?
编辑:我想简单地强调一下,除了被网络诱骗的风险之外,困扰我的还有用户被误导了,这对我来说是错误的,无论这种情况是否会发生,无论是通过可信任的来源是否.
Edit: I want to briefly emphasize that what bothers me more than the risk of phishing is that users are being misled and it simply feels wrong to me that this can happen, whether by a trusted source or not.
推荐答案
我同意这里存在网络钓鱼的潜力.据报道,这是很久以前的FireFox中的 bug ,但是问题出在是这个吗?
I agree that there is potential here for phishing. This was reported as a bug in FireFox quite a long time ago, but the problem is this:
<body onmousedown="document.getElementById('changeMe').href='www.somewhereelse.com'">
<a id="changeMe" href="www.google.com">google</a>
</body>
事件冒泡到其父级,您需要检测onmousedown事件是否会更改子元素的href.听起来合理吗?好的,这怎么样:
Events bubble up to their parent, you would need to detect if an onmousedown event was going to change the href of a child element. Sounds reasonable? Okay, how about this:
<script>
function switcher() {
window.location = "www.somewhereelse.com";
return false;
}
</script>
<body onmousedown="switcher()">
<a href="www.google.com">google</a>
</body>
因此,我们还需要在onmousedown事件触发的函数中注意window.location.听起来还合理吗?如果我有onmousedown事件,请完全删除该链接,将其替换为新元素,然后触发该点击.我可以继续列举一些例子.
So we need to look out for window.location in functions triggered by onmousedown events as well. Still sound reasonable? How about if I have the onmousedown event remove the link altogether, replace it with a new element and then trigger the click on that. I can keep coming up with examples.
关键是,可以使用Javascript使用状态栏来误导人们-您不应该信任它,而只能信任URL.
The point is, Javascript can be used to misdirect people using the status bar - you shouldn't trust it, you can only trust the URL.
要更改此设置,浏览器将需要在单击主持权时为链接设置set href值,以取代可能发生的任何其他事件,基本上禁用锚标记上的鼠标事件.我敢冒险猜测他们可能不会这样做,这会破坏太多已经存在的应用程序.
To change this browsers would need to give the set href value on a link at the time of the click presidency over any other events that might happen, basically disable mouse events on anchor tags. I would venture to guess they probably won't do this, it would break too many applications that already exist.
或者,我看到人们提出了不同的方法来检测和警告用户有关可能的链接劫持的行为,但是我还没有看到任何实现的方法.
Alternatively, I've seen people propose different methods of detecting and warning the user about possible link hijacking, but I've not seen any implemented yet.
这篇关于为什么浏览器允许onmousedown JS更改href?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
