New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 772914 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Oct 2017
Cc:
ranjitkan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Link preview compromised

Reported by jidanni@gmail.com, Oct 9 2017 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. Browse https://www.google.com.tw/search?q=Pic4Carto
2. Place cursor above Pic4Carto
3. Notice link preview in lower left is
"http://projets.pavie.info/pic4carto/"
4. Now left click "copy link location".
5. Now paste the link we copied somewhere.
The link we pasted IS NOT the link shown in preview!

We have been cheated. Security issue here.

One might say it is OK for some sites to cheat us this way, but other
sites shouldn't?

What is the point of link preview if bait and switch can occur?
6. Now repeat step 2.

Notice the link preview has changed from what it was before, all without
us reloading the page.

If the browser is aware of what is going on, it should show two versions
of the link during preview.

If this site is on a special list of sites that are allowed to use
"different" link previews, than a red exclamation mark should appear
next to the preview at the left side, and clicking it should explain
that this site is on a special list.

What is the expected behavior?

What went wrong?
Lost of trust with the browser link preview.

Did this work before? N/A 

Chrome version: 61.0.3163.100  Channel: stable
OS Version: 
Flash Version:

Comment 1 by ligim...@chromium.org, Oct 9 2017

Labels: Needs-Triage-M61

Comment 2 by ranjitkan@chromium.org, Oct 10 2017

Cc: ranjitkan@chromium.org
Components: -UI UI>Browser>Search
Labels: OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)
Tagging with "UI>Browser>Search" component so that some one from search team address it.

Untriaged the issue so that issue gets addressed.

Comment 3 by pkasting@chromium.org, Oct 10 2017

Status: WontFix (was: Untriaged)
The link status text has never been a security surface.  Because of onclick handlers, sites can navigate anywhere (or do anything else) when you click a link.  Because the halting problem is not solvable, browsers cannot tell you ahead of time what the site is going to do.

Therefore, in all browsers, this text is simply a best-effort attempt to show what will happen; it's not a reliable one (and cannot be made to be).

In the particular case of Google, the site completely changes the link's target when you click down, which is why you see the preview change at that point.  The browser can't know in advance that's what will happen.

Sign in to add a comment