Krzysztof Żelechowski wrote:
Dnia 01-03-2008, So o godzinie 17:12 -0800, Maciej Stachowiak pisze:
On Mar 1, 2008, at 4:20 PM, Jonas Sicking wrote:
For example on a <a href="...">, does the user hovering the node
count?
If you display an absolute URI to the user at this time it should get
resolved against the current base, but since this is not a load, it
should get resolved again when the user clicks the link, if the base
changed.
I am not sure I understand you correctly
but if this introduces the ability
to make the user agent
report a different URL than the effective target,
it is going to be a sweet candy for phishers.
(Newer browsers made this effect unavailable to scripts).
It is already very possible to make a link that appears to go to one
url, but in reality goes to another. Here are three examples:
<a href="http://www.good.com";
onclick="window.location='http://www.evil.com'">
<a href="http://www.good.com";
onmousedown="this.href='http://www.evil.com'">
<span style="color: blue; text-decoration: underline;"
onclick="window.location='http://www.evil.com'">
go to www.good.com
</span>
/ Jonas
