[franga2000]

What do you mean by "describing"? If you mean the thingy in the bottom of your screen when you hover over a link, this is trivial to fake and Google itself is the largest user of this "feature". In a Google search, right click a link and copy it, then paste it somewhere. It will be a long ugly google.com tracking URL, even though what your browser showed you in the hover display was the link to the actual website.

[AinderS]

> the thingy in the bottom of your screen when you hover over a link, this is trivial to fake

Sounds like a security flaw. Why don't browsers patch it?

[Liru]

Because the company that most benefits from it existing also makes the world's most used browser.

[AinderS]

What about other browsers?

[antiframe]

I tested it in Firefox and Chrome. While they both display a spoofed URL in the status bar when hovered, they differ if you right-click the link. In Chrome, nothing changes. In Firefox the status bar string changes to the actual, not spoofed URL.

At least in Firefox, one can check easily what the actual URL is before clicking without having to copy-paste elsewhere.

[franga2000]

Short of preventing JS from triggering redirects, I don't see a way they could, and that's a pretty important feature in modern web apps.

[Dylan16807]

You could lock out JS redirects once the user has clicked on a URL.

[franga2000]

If it's callstack-based the event handler could easily just run the redirect in setTimeout. Making it time-based might work, but would break a lot of common use-cases. Maybe they could block only cross-origin redirects?

There still is the issue of Mozilla being the only one without a direct incentive to prevent this fix from rolling out. With their whopping 3 percent market share, I doubt they'd be willing to break a web feature we've had for decades.

[bdefore]

Sorry i misstated, it was the article at the second link from post i responded to. first image of that post, under where it says 'Get Chrome - Download Chrome Today' there is a green text that shows www.google.com. I thought that was enforced by the search engine and not able to be manipulated.

At the risk of insinuating too much, there is a concerning incentive for Bing to provide corrupt links to Chrome.

[kyle-rb]

That definitely seems like a major flaw with Bing's search ads. They should be either deriving that green domain name, or verifying it matches the link, or at least verifying that you own that domain.

I can't find a current Bing search ad whose green domain name doesn't match the domain of the destination of the link. Hopefully they've fixed this by now.

[antiframe]

Interesting. I had not known that. I tested it in Firefox and Chrome. While they both display a spoofed URL in the status bar when hovered, they differ if you right-click the link. In Chrome, nothing changes. In Firefox the status bar string changes to the actual, not spoofed URL.

At least in Firefox, one can check easily what the actual URL is before clicking without having to copy-paste elsewhere.

[kyle-rb]

I'm seeing that Firefox behavior in Chrome.

It seems to rewrite the link when it gets a mousedown event. Once I right-click, or if I left-click and then drag (to avoid an actual page navigation), the new hovered URL is the google.com/<tracking> version.

Also this only seems to apply to search ads/promoted results. Organic search results don't get rewritten, and copying and pasting a link address gives me the expected destination URL.