On 21 Apr 2021, at 11:45, Kris Deugau wrote:
Can anyone point me to a reference document describing what the
"data-saferedirecturl" attribute on an <a> tag is supposed to be
useful for, and for bonus points any hints why it can't be trivially
and horribly abused by scammers?
Most of the search results I've turned up reference URL-munging
observed inside GMail, but clearly this is some broader HTML attribute
or it wouldn't be supported by mail clients.
What evidence do you have of it being "supported" by any non-Google mail
client?
As best I can tell it's a way to work around hiding the actual link
target address without using Javascript,
As best I can tell, the only way it serves any function is if you are
viewing the email in something that executes Javascript written to use
that attribute.
and getting a bonus tell-Google-where-you're-going if you click the
link. The majority of these I've come across bounce the link through
Google Search because Reasons, although some seem to be keen on
abusing some other Google redirector.
Unfortunately I'm also seeing these in legitimate mail, and the rule I
added locally a couple weeks ago for a subset of variations has
triggered a handful of FPs.
I would not expect to see that attribute in any email that had not been
handled by Google.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
