[AinderS]

> the thingy in the bottom of your screen when you hover over a link, this is trivial to fake

Sounds like a security flaw. Why don't browsers patch it?

[Liru]

Because the company that most benefits from it existing also makes the world's most used browser.

[AinderS]

What about other browsers?

[antiframe]

I tested it in Firefox and Chrome. While they both display a spoofed URL in the status bar when hovered, they differ if you right-click the link. In Chrome, nothing changes. In Firefox the status bar string changes to the actual, not spoofed URL.

At least in Firefox, one can check easily what the actual URL is before clicking without having to copy-paste elsewhere.

[franga2000]

Short of preventing JS from triggering redirects, I don't see a way they could, and that's a pretty important feature in modern web apps.

[Dylan16807]

You could lock out JS redirects once the user has clicked on a URL.

[franga2000]

If it's callstack-based the event handler could easily just run the redirect in setTimeout. Making it time-based might work, but would break a lot of common use-cases. Maybe they could block only cross-origin redirects?

There still is the issue of Mozilla being the only one without a direct incentive to prevent this fix from rolling out. With their whopping 3 percent market share, I doubt they'd be willing to break a web feature we've had for decades.

[Dylan16807]

Time based? If that's equivalent to "toggling a flag" then yes that's what I'm suggesting.

What use cases would it break? Why do you need a fake URL to show up when the link is hovered?