Re: Mystery (DOM change when JavaScript is disabled)

17 views
Skip to first unread message

Andrew Poulos

unread,
Sep 20, 2021, 7:17:47 PMSep 20
to
On 21/09/2021 8:51 am, Stefan Ram wrote:
> A web page has a link that is shown (in the status bar when
> the mouse is positioned over it) as, e.g.,
>
> http://www.example.com/
>
> . When one clicks on it (even with the /right/ mouse bottom),
> it is being changed into something like
>
> http://www.badcompany.com/redirect?uri=http%3A%2F%2Fwww.example.com%2F
>
> . I have looked at the DOM before the click and then again after
> the click and it seems that the DOM is being changed from
>
> ... href="http://www.example.com/" ...
>
> into
>
> ... href="http://www.badcompany.com/redirect?uri=http%3A%2F...
>
> . Ok, this is annoying. I assumed that the click is being intercepted
> with JavaScript and then the href attribute is changed.
>
> To get rid of the nasty "clickjacking", I disabled JavaScript before
> I clicked on the link with the right mouse button to "copy" the URI).
> What bewildered me: The link is still changed /with Java-Script/
> disabled! How is this possible?
>
> I tried the same thing with a different browser and still see the
> same behaviour.
>
> Is it possible that after a page has been loaded and some scripts
> already have been executed, disabling JavaScript might not
> immediately disable running any JavaScript from that moment on?
> Is it possible that some JavaScript statements still can be executed?
>
> I have no idea how else it can be possible that the link is
> being changed when JavaScript is disabled.
>
> Or is there any HTML feature that would allow to have such a
> change of the DOM happen without JavaScript? TIA!

They could be using CSS to hide one link, on hover, and show another?

Andrew Poulos

Maik Koenig

unread,
Sep 20, 2021, 8:42:33 PMSep 20
to
Am 21.09.2021 um 00:51 schrieb Stefan Ram:
> A web page has a link that is shown (in the status bar when
> the mouse is positioned over it) as, e.g.,
>
> http://www.example.com/
>
> . When one clicks on it (even with the /right/ mouse bottom),
> it is being changed into something like
>
> http://www.badcompany.com/redirect?uri=http%3A%2F%2Fwww.example.com%2F
>

How about giving the url so we can look?

Greetz,
MK
--
Kopp-Verlag-Gläubige, Religionsdeppen, rechte Vollidioten
und ähnlicher Bio-Abfall werden ohne Hinweis ignoriert!
Ich lese die Gruppen in denen ich schreibe: KEINE Mailkopie.

Jon Ribbens

unread,
Sep 21, 2021, 7:11:07 AMSep 21
to
On 2021-09-20, Stefan Ram <r...@zedat.fu-berlin.de> wrote:
> Is it possible that after a page has been loaded and some scripts
> already have been executed, disabling JavaScript might not
> immediately disable running any JavaScript from that moment on?
> Is it possible that some JavaScript statements still can be executed?

I think I would go with "if JavaScript was enabled when you loaded the
page, then disabling it does nothing until you reload the page".

JJ

unread,
Sep 21, 2021, 3:35:29 PMSep 21
to
On 20 Sep 2021 22:51:05 GMT, Stefan Ram wrote:
> A web page has a link that is shown (in the status bar when
> the mouse is positioned over it) as, e.g.,
>
> http://www.example.com/
>
> . When one clicks on it (even with the /right/ mouse bottom),
> it is being changed into something like
>
> http://www.badcompany.com/redirect?uri=http%3A%2F%2Fwww.example.com%2F
>
> . I have looked at the DOM before the click and then again after
> the click and it seems that the DOM is being changed from
>
> .... href="http://www.example.com/" ...
>
> into
>
> .... href="http://www.badcompany.com/redirect?uri=http%3A%2F...
>
> . Ok, this is annoying. I assumed that the click is being intercepted
> with JavaScript and then the href attribute is changed.
>
> To get rid of the nasty "clickjacking", I disabled JavaScript before
> I clicked on the link with the right mouse button to "copy" the URI).
> What bewildered me: The link is still changed /with Java-Script/
> disabled! How is this possible?
>
> I tried the same thing with a different browser and still see the
> same behavior.
>
> Is it possible that after a page has been loaded and some scripts
> already have been executed, disabling JavaScript might not
> immediately disable running any JavaScript from that moment on?
> Is it possible that some JavaScript statements still can be executed?
>
> I have no idea how else it can be possible that the link is
> being changed when JavaScript is disabled.
>
> Or is there any HTML feature that would allow to have such a
> change of the DOM happen without JavaScript? TIA!

I suspect that the JavaScript is not entirely disabled/blocked. If it was
disabled/blocked using a browser addon, some addons can only do it by
blocking external JavaScript resource network requests but can not disable
enbedded/inline JavaScript.
Reply all
Reply to author
Forward
0 new messages