Firefox allows sites to show FALSE link destinations
If you do a Google image search and click on an image to expand it, you'll see two links on the right to the website.
If you rollover these links, Firefox shows the supposed destination URL in the bottom left hand corner - however - if you right click these links and copy the destination - the TRUE destination is different and contains tracking information.
Isn't this a huge security problem? If a site can "show you" one destination URL but it actually leads somewhere else. I don't want a web browser that allows sites to trick me into thinking the destination is something other than what it is.
Can anyone advise?
Všetky odpovede (7)
Hello MartyJames, Redirects are a common nuisance all over the web. Firefox security settings can help block some of them and there a number of extensions available. For example: Skip Redirect
Surely the browser should be able to prevent it?
I presume what Google is doing is changing the link target at the moment the user clicks the link. Firefox should prevent this from happening by keeping all link targets fixed and locked?
Hi MartyJames, I wouldn't go as far as saying that Google is doing this intentionally. Search for 'Google Images Redirects.' Redirects are an avenue for malicious content , trojans and viruses. They should be treated as such and appropriate security should be used against them. No anti-virus, anti-malware, content blocker, adblocker, etc. is 100% effective. The best approach that I have found is to "layer" your protection. I might not be able to stop that redirect but I can block the trojan that it leads to.
Good Luck!
This is how Google search works. If you open a link then this link is checked against the Google Safe Browsing website to make sure that the link is safe. This is done via an onclick handler that is used instead of the href attribute that Firefox shows when you hover a link.
MartyJames said
I presume what Google is doing is changing the link target at the moment the user clicks the link.
When I check the page in Firefox, there is an event handler that runs halfway through a click that changes the href value:
<a href="https://www.mozilla.org/en-US/firefox/new/" onmousedown="return rwt(this,'','','','1','AOvVaw0vazKuR14XhwfqVIbMkqKU','','2ahUKEwjryZb-m4bjAhXQX80KHfG0B5sQFjAAegQIARAB','','',event)" hreforiginal="https://www.mozilla.org/en-US/firefox/new/"><h3 class="LC20lb">Download Firefox — Free Web Browser — Mozilla</h3>...</a>
On Chrome, it's a bit different, the tracking is more transparent:
<a href="https://www.mozilla.org/en-US/firefox/new/" ping="/url?sa=t&source=web&rct=j&url=https://www.mozilla.org/en-US/firefox/new/&ved=2ahUKEwiPwL-wnobjAhVOUs0KHRD2AcYQFjAAegQIABAB" hreforiginal="https://www.mozilla.org/en-US/firefox/new/"><h3 class="LC20lb">Download Firefox — Free Web Browser — Mozilla</h3>...</a>
Firefox should prevent this from happening by keeping all link targets fixed and locked?
There are scenarios where href changes are not done for tracking or evil, but to account for other data in the page. Also, if this was banned, the same could be accomplished by calling a script method to navigate the page (e.g., location.href or window.open) without having to change the href. So it's a tricky problem.
Anyway, my workaround is to use this extension: https://addons.mozilla.org/firefox/addon/google-search-link-fix/
Thanks for the replies.
jscher2000, Thanks once again. An excellent answer as always.
I just think Firefox is too "liberal" by default. Things like allowing clipboard interaction, allowing hidden text to be copied to the clipboard, right button interaction (I've disabled all these), allowing scripts to navigate the page, etc. I don't want anything so complicated in a browser, or sites doing things I'm not aware of. I just want old-fashioned WYSIWYG html. Nothing "hidden".
I think Firefox should have a nice big button in the settings called "Simple Mode" which disables ALL unnecessary security risks. Navigation is restricted to conventional (visible) html links and buttons. Then you can whitelist sites you trust if you want to give them more advanced functionality.
As for the add-on you recommended, thanks that looks really good, though I am nervous about installing add-ons. Firefox says it can access all my data for all sites, so I have to assume all that data (including every email I send) will be logged and sent home - to God knows whom!
I've told Firefox about this before, but merely giving us a list of things which add-ons can access is useless. All we really need to know about add-ons is: Do they send telemetry? Mozilla should implement a verification system for add-ons which verifies them as 100% local and telemetry-free. This is the information we really need about add-ons. I don't care what information an add-on can "see" as long as it's not going online.
Upravil(a) MartyJames dňa
MartyJames said
As for the add-on you recommended, thanks that looks really good, though I am nervous about installing add-ons. Firefox says it can access all my data for all sites, so I have to assume all that data (including every email I send) will be logged and sent home - to God knows whom!
As far as I can tell, it doesn't exfiltrate data, but I agree that the permission is broader than necessary.
I've told Firefox about this before, but merely giving us a list of things which add-ons can access is useless. All we really need to know about add-ons is: Do they send telemetry? Mozilla should implement a verification system for add-ons which verifies them as 100% local and telemetry-free. This is the information we really need about add-ons. I don't care what information an add-on can "see" as long as it's not going online.
The Add-ons team regularly updates its screening tools, but it is a little tricky reading code.