Anatomy of a “feature” – should JavaScript be allowed to change a web link *after* you click on it?

A young web coding enthusiast from Manchester, UK, recently published a thought-provoking hackette intended to highlight the risks of relying only on “look before you click” while browsing the web.

With a brief and unexceptional-looking line of JavaScript, he reminds us that the URL your browser displays when you hover over a link isn’t necessarily where you will end up.

Your click destination can be changed by his script even after you you click it:

If you’ve done any JavaScript programming, or delved into the source code of any web pages, you’ll know that the <a href="..."> tag is how HTML specifies a hyperlink, and that the onclick attribute is how you tweak the behaviour of the browser when the user clicks a link.

You’ll routinely encounter a number of onxxxx attributes used in modern web programming, such as:

  • onmouseover: when you move onto an element, such as a menu
  • onmousemove: when you move around over an element
  • onmouseout: when you move off an element
  • onmousedown: when you press the primary mouse button
  • onmouseup: when you release the primary mouse button
  • onclick: after a mousedown followed by a mouseup

The animated buttons, active menus, popup calendars and general razzamatazz we expect from 21st-century cloud applications all rely on this sort of event-driven programming, where the browser sits in a loop waiting for you to do something, and then reacts promptly as soon as possible after you do.

Without these event hooks, browser-based apps would be so different from the desktop applications we’re familiar with that they’d be unintuitive and largely unusable.

The next bit of the trick involves using the onclick event to change the href attribute of the link you just clicked.

When an HTML page is loaded, the href, or hyper-reference, of each link is what was specified in the href attribute of each <a>, or anchor, tag in the HTML source file:

You’d think, or perhaps hope, that these links would be somehow sacrosanct, so that the browser could display them when you hovered over them, and thus indicate precisely where you would end up if you were to click.

→ A legitimate-looking URL isn’t necessarily trustworthy, since most infected websites don’t belong to cybercrooks, but are hacked sites used to serve up malware or poisoned links while letting someone else take the blame. But it’s still reasonable to assume that the link you see is the link you’ll get, not least because this would force dodgy URLs to look dodgy up front.

Sadly, the web hasn’t adopted that sort of simple and straightforward honesty.

Browsers, in fact, used to make it really easy to suppress the display of a click destination, simply by setting the onmouseover event to a dud operation, such as onmouseover="return true;" to tell JavaScript to report success without actually doing anything.

That doesn’t work any more, for security reasons, but there is plenty of other “legitimate trickery” in use out there, most of which we accept as a necessary evil (or perhaps as an invisible and irrelevant part) of today’s browsing.

Google, for instance, lets you hover over a link to reveal its final destination:

But it doesn’t take you directly to the designated URL when you click, as you can see if you right-click to open the link in a new tab:

Instead, you are diverted through one of Google’s interstitial links that keeps track of which users are doing what, where and when.

That’s the price you pay for Google’s admittedly very powerful, uncannily accurate, immensely useful and free-as-far-as-money goes search engine.

But the issue, as our young Mancunian suggests, is, “Should our browsers work this way?”

In particular, the issue he’s thrown into the spotlight, namely changing the destination of a link after you have clicked on it, seems to be a race condition too far.

You wouldn’t expect airline security to allow passenger A to go through the security check and then to swap places with passenger B who had not.

You wouldn’t expect a shop to show you a price of $99 on your credit card slip, ask you to approve payment, and then quietly bill you a completely different amount.

Is it time for browsers to get stricter about how and what they display, and how much manipulation of status information is allowed using JavaScript?

Should there be an option to show you precisely which URL you are going to when you click, so that you can at least try to make an informed decision about it, no matter how hard that might be?

Or should we simply accept the comfort and apparent simplicity of a slick-and-quick web browsing experience, even if it leaves the door open for chicanery?

Tell us what you think in the comments…

PS. Although Naked Security comments ask for a name and email address, you don’t have to identify yourself. You can use the name “Anon” and leave the email address blank if you like.