- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 03 Mar 2008 12:37:31 -0800
Krzysztof ?elechowski wrote:
> Dnia 01-03-2008, So o godzinie 17:12 -0800, Maciej Stachowiak pisze:
>> On Mar 1, 2008, at 4:20 PM, Jonas Sicking wrote:
>>> For example on a <a href="...">, does the user hovering the node
>>> count?
>> If you display an absolute URI to the user at this time it should get
>> resolved against the current base, but since this is not a load, it
>> should get resolved again when the user clicks the link, if the base
>> changed.
>
> I am not sure I understand you correctly
> but if this introduces the ability
> to make the user agent
> report a different URL than the effective target,
> it is going to be a sweet candy for phishers.
> (Newer browsers made this effect unavailable to scripts).
It is already very possible to make a link that appears to go to one
url, but in reality goes to another. Here are three examples:
<a href="http://www.good.com"
onclick="window.location='http://www.evil.com'">
<a href="http://www.good.com"
onmousedown="this.href='http://www.evil.com'">
<span style="color: blue; text-decoration: underline;"
onclick="window.location='http://www.evil.com'">
go to www.good.com
</span>
/ Jonas
Received on Monday, 3 March 2008 12:37:31 UTC