By  on  

JavaScript security is a big business and for all of the right reasons.  JavaScript lets us do incredible things on the front end but some of those incredible things are for eval evil.  Spyjax used to be one of those evil things but browsers seem to have figured that out.  One technique I've seen lately is clickjacking -- presenting a link as one URL but then changing the URL quickly to trick the user.  Let me show you what I've seen.

When visiting CNBC, I would occasionally command+click a link to a post to open it in a new window, but Google Chrome would refuse via the popup blocker.  That confused me -- I'm triggering a "native" action, why is the popup blocker hassling me?  Because CNBC was being gangsta:

<a href="/some-url" onmousedown="this.href='/some-other-url';">Misleading Link Title</a>

The href was set to one URL but JavaScript dynamically changed the href to the "bad" address upon mousedown, thus changing the destination before the use knew it.  This is an incredibly shady practice with only one possible purpose: gaming the user and possibly even search engines.

It's impressive that Chrome detected CNBC's technique and blocked the click. Clickjacking could become a serious issue and I've lost a lot of trust in CNBC.  If you're participating in this practice, it may be best to stop -- the browsers are on to you.

Recent Features

  • By
    fetch API

    One of the worst kept secrets about AJAX on the web is that the underlying API for it, XMLHttpRequest, wasn't really made for what we've been using it for.  We've done well to create elegant APIs around XHR but we know we can do better.  Our effort to...

  • By
    From Webcam to Animated GIF: the Secret Behind!

    My team mate Edna Piranha is not only an awesome hacker; she's also a fantastic philosopher! Communication and online interactions is a subject that has kept her mind busy for a long time, and it has also resulted in a bunch of interesting experimental projects...

Incredible Demos


  1. Couldn’t agree more Dave, there are numerous other “methods” if the site owner wanted to utilise some form of redirect – this is insidious at best! One wonders what it would do to the ranking of a page once Google starts investigating the validity of these “links” – even CNBC might not be safe from some finger wagging by the Search Engines…

  2. MzJS

    Well, Google does this on the search results themselves, so does that count? It is especially annoying if you want to copy a search result via “copy link address” or similar. Same for OneDrive.

  3. Matt

    It seems even more shocking that you had any trust in CNBC. Not surprised.

    • “more shocking”…”not surprised”….I’m lost on what you’re trying to say.

    • Eliseu


  4. I’ve not seen it knowingly done by a site owner. But I have been spending the past few nights rebuilding my Dad’s Windows PC, remotely because it was riddled with Adware and Malware which was Clickjacking links all over the place.
    Even going to Microsoft OneDrive to install it to back his documents up was an ordeal. 75% of the time the link to “download” got clickjacked, and sent me off to a half convincing looking facsimile of the OneDrive download site.
    This happened to almost any “call to action” on any site, and was affecting Chrome and IE (his PC was so slow, I had no patience to download any other browsers for testing)

    It’s a worrying thing, that I hope browser vendors have a plan for, as my Dad was falling for them every time.

  5. MaxArt

    Sneaky scoundrels! o_O
    And this is from CNBC, not some wAre2 site… Oh, come on! D:
    I wonder if Chrome would be able to catch it if the action was done on mouseover rather than mousedown.

  6. Fredrik

    It is really annoying that so many sites requires JS to work. I can understand that it would be nice to have some JS to enable slideshows or whatever, but JS to even read a plain text? Come on!

  7. I’ve seen something similar at work this week from [popular company in my industry] and its frustrating to see how intrusive web advertisements can be. We should want to put creativity into what we do, but not to the point that we try to outsmart security features and search engines which already suppress virtually similar behaviors. I’m an enterprise dev, and the most successful argument I’ve ever used to not do something like this is “X browser prevents this because Y”. Where I work, every feature I make already has the requirement of needing to work in all of the browsers we support, so this argument is usually sufficient.

  8. Never trust the Big Green Download button! looks for a tiny little invisible download link that is impossible to find!

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!