| Yeah, those are legitimate problems, I agree. I guess I was thinking, browser vendors and clients that care are already taking measures to inform users if the URL they are browsing is safe / secure (HTTPS enabled UI for example) - I was just trying to think of some way for the HTML source itself to indicate "hey, the value of the href of this link should be exactly 'X', and a user can see that relatively easily, and if for any reason it is NOT 'X' then the link should not be trusted". I mean, the clients could also take active measures to block such links as well... if the "href" is not the same as the expected value for the href (or if it changes), then the client disables the link automatically. I don't think one would use the "safe-links" I described everywhere (like, not in places where they would bleed through). I think they might be a special use case, maybe for emails and clients that are rendering more document oriented HTML as opposed to web-site/web application type HTML, although browsers could certainly render them. Of course, those clients would have to be trustworthy too. I suppose rather than showing any visual cues that the link is enabled, clients could just validate that...
if they see a link like this (without text or an ending anchor tag) ->
<a href="http://www.google.com">
then the one and ONLY action the link can take is to navigate to the precise href specified, and it would only render the text of the href as the content of the anchor tag. So maybe a visual cue is not even needed - just enforcement by trustworthy clients. |