X
Tap here to go to the mobile version of the site.

Support Forum

Firefox allows sites to show FALSE link destinations

Posted

If you do a Google image search and click on an image to expand it, you'll see two links on the right to the website.

If you rollover these links, Firefox shows the supposed destination URL in the bottom left hand corner - however - if you right click these links and copy the destination - the TRUE destination is different and contains tracking information.

Isn't this a huge security problem? If a site can "show you" one destination URL but it actually leads somewhere else. I don't want a web browser that allows sites to trick me into thinking the destination is something other than what it is.

Can anyone advise?

If you do a Google image search and click on an image to expand it, you'll see two links on the right to the website. If you rollover these links, Firefox shows the supposed destination URL in the bottom left hand corner - however - if you right click these links and copy the destination - the TRUE destination is different and contains tracking information. Isn't this a huge security problem? If a site can "show you" one destination URL but it actually leads somewhere else. I don't want a web browser that allows sites to trick me into thinking the destination is something other than what it is. Can anyone advise?
Quote

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

More Information

My_Cheese_Is_Slippin'
  • Top 10 Contributor
61 solutions 739 answers

Helpful Reply

Hello MartyJames, Redirects are a common nuisance all over the web. Firefox security settings can help block some of them and there a number of extensions available. For example: Skip Redirect

Hello MartyJames, Redirects are a common nuisance all over the web. Firefox security settings can help block some of them and there a number of extensions available. For example: [https://addons.mozilla.org/en-US/firefox/addon/skip-redirect/?src=search Skip Redirect]
Was this helpful to you? 1
Quote

Question owner

Surely the browser should be able to prevent it?

I presume what Google is doing is changing the link target at the moment the user clicks the link. Firefox should prevent this from happening by keeping all link targets fixed and locked?

Surely the browser should be able to prevent it? I presume what Google is doing is changing the link target at the moment the user clicks the link. Firefox should prevent this from happening by keeping all link targets fixed and locked?
Was this helpful to you?
Quote
My_Cheese_Is_Slippin'
  • Top 10 Contributor
61 solutions 739 answers

Hi MartyJames, I wouldn't go as far as saying that Google is doing this intentionally. Search for 'Google Images Redirects.' Redirects are an avenue for malicious content , trojans and viruses. They should be treated as such and appropriate security should be used against them. No anti-virus, anti-malware, content blocker, adblocker, etc. is 100% effective. The best approach that I have found is to "layer" your protection. I might not be able to stop that redirect but I can block the trojan that it leads to.

Good Luck!

Hi MartyJames, I wouldn't go as far as saying that Google is doing this intentionally. Search for 'Google Images Redirects.' Redirects are an avenue for malicious content , trojans and viruses. They should be treated as such and appropriate security should be used against them. No anti-virus, anti-malware, content blocker, adblocker, etc. is 100% effective. The best approach that I have found is to "layer" your protection. I might not be able to stop that redirect but I can block the trojan that it leads to. Good Luck!
Was this helpful to you?
Quote
cor-el
  • Top 10 Contributor
  • Moderator
17467 solutions 157838 answers

Helpful Reply

This is how Google search works. If you open a link then this link is checked against the Google Safe Browsing website to make sure that the link is safe. This is done via an onclick handler that is used instead of the href attribute that Firefox shows when you hover a link.

This is how Google search works. If you open a link then this link is checked against the Google Safe Browsing website to make sure that the link is safe. This is done via an onclick handler that is used instead of the href attribute that Firefox shows when you hover a link. *https://transparencyreport.google.com/safe-browsing/overview
Was this helpful to you? 1
Quote
jscher2000
  • Top 10 Contributor
8684 solutions 70998 answers

MartyJames said

I presume what Google is doing is changing the link target at the moment the user clicks the link.

When I check the page in Firefox, there is an event handler that runs halfway through a click that changes the href value:

<a href="https://www.mozilla.org/en-US/firefox/new/" onmousedown="return rwt(this,'','','','1','AOvVaw0vazKuR14XhwfqVIbMkqKU','','2ahUKEwjryZb-m4bjAhXQX80KHfG0B5sQFjAAegQIARAB','','',event)" hreforiginal="https://www.mozilla.org/en-US/firefox/new/"><h3 class="LC20lb">Download Firefox — Free Web Browser — Mozilla</h3>...</a>

On Chrome, it's a bit different, the tracking is more transparent:

<a href="https://www.mozilla.org/en-US/firefox/new/" ping="/url?sa=t&source=web&rct=j&url=https://www.mozilla.org/en-US/firefox/new/&ved=2ahUKEwiPwL-wnobjAhVOUs0KHRD2AcYQFjAAegQIABAB" hreforiginal="https://www.mozilla.org/en-US/firefox/new/"><h3 class="LC20lb">Download Firefox — Free Web Browser — Mozilla</h3>...</a>

Firefox should prevent this from happening by keeping all link targets fixed and locked?

There are scenarios where href changes are not done for tracking or evil, but to account for other data in the page. Also, if this was banned, the same could be accomplished by calling a script method to navigate the page (e.g., location.href or window.open) without having to change the href. So it's a tricky problem.

Anyway, my workaround is to use this extension: https://addons.mozilla.org/firefox/addon/google-search-link-fix/

''MartyJames [[#answer-1232847|said]]'' <blockquote> I presume what Google is doing is changing the link target at the moment the user clicks the link. </blockquote> When I check the page in Firefox, there is an event handler that runs halfway through a click that changes the href value: &lt;a href="https://www.mozilla''.''org/en-US/firefox/new/" '''onmousedown'''<nowiki>="return rwt(this,'','','','1','AOvVaw0vazKuR14XhwfqVIbMkqKU','','2ahUKEwjryZb-m4bjAhXQX80KHfG0B5sQFjAAegQIARAB','','',event)"</nowiki> hreforiginal="https://www.mozilla''.''org/en-US/firefox/new/">&lt;h3 class="LC20lb">Download Firefox — Free Web Browser — Mozilla&lt;/h3>...&lt;/a> On Chrome, it's a bit different, the tracking is more transparent: &lt;a href="https://www.mozilla''.''org/en-US/firefox/new/" '''ping'''="/url?sa=t&amp;source=web&amp;rct=j&amp;url=https://www.mozilla''.''org/en-US/firefox/new/&amp;ved=2ahUKEwiPwL-wnobjAhVOUs0KHRD2AcYQFjAAegQIABAB" hreforiginal="https://www.mozilla''.''org/en-US/firefox/new/">&lt;h3 class="LC20lb">Download Firefox — Free Web Browser — Mozilla&lt;/h3>...&lt;/a> <blockquote>Firefox should prevent this from happening by keeping all link targets fixed and locked? </blockquote> There are scenarios where href changes are not done for tracking or evil, but to account for other data in the page. Also, if this was banned, the same could be accomplished by calling a script method to navigate the page (e.g., location.href or window.open) without having to change the href. So it's a tricky problem. Anyway, my workaround is to use this extension: https://addons.mozilla.org/firefox/addon/google-search-link-fix/
Was this helpful to you? 1
Quote

Question owner

Thanks for the replies.

jscher2000, Thanks once again. An excellent answer as always.

I just think Firefox is too "liberal" by default. Things like allowing clipboard interaction, allowing hidden text to be copied to the clipboard, right button interaction (I've disabled all these), allowing scripts to navigate the page, etc. I don't want anything so complicated in a browser, or sites doing things I'm not aware of. I just want old-fashioned WYSIWYG html. Nothing "hidden".

I think Firefox should have a nice big button in the settings called "Simple Mode" which disables ALL unnecessary security risks. Navigation is restricted to conventional (visible) html links and buttons. Then you can whitelist sites you trust if you want to give them more advanced functionality.

As for the add-on you recommended, thanks that looks really good, though I am nervous about installing add-ons. Firefox says it can access all my data for all sites, so I have to assume all that data (including every email I send) will be logged and sent home - to God knows whom!

I've told Firefox about this before, but merely giving us a list of things which add-ons can access is useless. All we really need to know about add-ons is: Do they send telemetry? Mozilla should implement a verification system for add-ons which verifies them as 100% local and telemetry-free. This is the information we really need about add-ons. I don't care what information an add-on can "see" as long as it's not going online.

Thanks for the replies. '''jscher2000''', Thanks once again. An excellent answer as always. I just think Firefox is too "liberal" by default. Things like allowing clipboard interaction, allowing hidden text to be copied to the clipboard, right button interaction (I've disabled all these), allowing scripts to navigate the page, etc. I don't want anything so complicated in a browser, or sites doing things I'm not aware of. I just want old-fashioned WYSIWYG html. Nothing "hidden". I think Firefox should have a nice big button in the settings called "Simple Mode" which disables ALL unnecessary security risks. Navigation is restricted to conventional (visible) html links and buttons. Then you can whitelist sites you trust if you want to give them more advanced functionality. As for the add-on you recommended, thanks that looks really good, though I am nervous about installing add-ons. Firefox says it can access all my data for all sites, so I have to assume all that data (including every email I send) will be logged and sent home - to God knows whom! I've told Firefox about this before, but merely giving us a list of things which add-ons can access is useless. All we really need to know about add-ons is: Do they send telemetry? Mozilla should implement a verification system for add-ons which verifies them as 100% local and telemetry-free. This is the information we really need about add-ons. I don't care what information an add-on can "see" as long as it's not going online.

Modified by MartyJames

Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8684 solutions 70998 answers

MartyJames said

As for the add-on you recommended, thanks that looks really good, though I am nervous about installing add-ons. Firefox says it can access all my data for all sites, so I have to assume all that data (including every email I send) will be logged and sent home - to God knows whom!

As far as I can tell, it doesn't exfiltrate data, but I agree that the permission is broader than necessary.

I've told Firefox about this before, but merely giving us a list of things which add-ons can access is useless. All we really need to know about add-ons is: Do they send telemetry? Mozilla should implement a verification system for add-ons which verifies them as 100% local and telemetry-free. This is the information we really need about add-ons. I don't care what information an add-on can "see" as long as it's not going online.

The Add-ons team regularly updates its screening tools, but it is a little tricky reading code.

''MartyJames [[#answer-1232937|said]]'' <blockquote> As for the add-on you recommended, thanks that looks really good, though I am nervous about installing add-ons. Firefox says it can access all my data for all sites, so I have to assume all that data (including every email I send) will be logged and sent home - to God knows whom! </blockquote> As far as I can tell, it doesn't exfiltrate data, but I agree that the permission is broader than necessary. <blockquote>I've told Firefox about this before, but merely giving us a list of things which add-ons can access is useless. All we really need to know about add-ons is: Do they send telemetry? Mozilla should implement a verification system for add-ons which verifies them as 100% local and telemetry-free. This is the information we really need about add-ons. I don't care what information an add-on can "see" as long as it's not going online. </blockquote> The Add-ons team regularly updates its screening tools, but it is a little tricky reading code.
Was this helpful to you? 1
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.