Why do browsers allow onmousedown JS to change hre

2019-03-09 02:46发布

问题:

I've noticed for a very long time that when you try to copy a link location or open a link on Facebook, it modifies the link and passes it through l.php.

For example, I can be sent to

 http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.google.com%2F&h=DKVUritNDJDJLDLVbldoDLFKBLOD5dlfDJY_-d3fgDUaA9b

even though my browser render the link preview as http://www.google.com/.

Today, I took a closer look using Firebug and found that Facebook puts onmousedown="UntrustedLink.bootstrap($(this)[...] in the <a> tag. The second I right clicked the link, I saw the href attribute change in Firebug.

This worries me.

The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless. Isn't this a security risk? Can't phishing websites misuse this?

Why don't browsers prevent this behavior either by disallowing onmousedown to change the href or by running the javascript before reading the href attribute, so that I am sent to the location I thought I going to, not the one change while I was clicking it?

Edit: I want to briefly emphasize that what bothers me more than the risk of phishing is that users are being misled and it simply feels wrong to me that this can happen, whether by a trusted source or not.

回答1:

I agree that there is potential here for phishing. This was reported as a bug in FireFox quite a long time ago, but the problem is this:

<body onmousedown="document.getElementById('changeMe').href='www.somewhereelse.com'">
    <a id="changeMe" href="www.google.com">google</a>
</body>

Events bubble up to their parent, you would need to detect if an onmousedown event was going to change the href of a child element. Sounds reasonable? Okay, how about this:

<script>
    function switcher() {
       window.location = "www.somewhereelse.com";
       return false;
    }
</script>
<body onmousedown="switcher()">
    <a href="www.google.com">google</a>
</body>

So we need to look out for window.location in functions triggered by onmousedown events as well. Still sound reasonable? How about if I have the onmousedown event remove the link altogether, replace it with a new element and then trigger the click on that. I can keep coming up with examples.

The point is, Javascript can be used to misdirect people using the status bar - you shouldn't trust it, you can only trust the URL.

To change this browsers would need to give the set href value on a link at the time of the click presidency over any other events that might happen, basically disable mouse events on anchor tags. I would venture to guess they probably won't do this, it would break too many applications that already exist.

Edit: Alternatively, I've seen people propose different methods of detecting and warning the user about possible link hijacking, but I've not seen any implemented yet.



回答2:

The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless.

If by "check" you mean the link 'preview' browsers show at the bottom status bar then you are correct. That is not enough to check whether a link really goes where it claims to be going. For instance, running the jquery script below on a page will cause all link to go to google.com regardless of what the actual href target of the link is:

$('a').click(function(evt){evt.preventDefault();window.location.href="http://google.com"})


回答3:

Can't phishing websites misuse this?

Not really, because facebook is where the said javascript would have to be called from. The user has to go an untrusted source in the first place who would embed the javascript in the tag.