By  on  

JavaScript security is a big business and for all of the right reasons.  JavaScript lets us do incredible things on the front end but some of those incredible things are for eval evil.  Spyjax used to be one of those evil things but browsers seem to have figured that out.  One technique I've seen lately is clickjacking -- presenting a link as one URL but then changing the URL quickly to trick the user.  Let me show you what I've seen.

When visiting CNBC, I would occasionally command+click a link to a post to open it in a new window, but Google Chrome would refuse via the popup blocker.  That confused me -- I'm triggering a "native" action, why is the popup blocker hassling me?  Because CNBC was being gangsta:

<a href="/some-url" onmousedown="this.href='/some-other-url';">Misleading Link Title</a>

The href was set to one URL but JavaScript dynamically changed the href to the "bad" address upon mousedown, thus changing the destination before the use knew it.  This is an incredibly shady practice with only one possible purpose: gaming the user and possibly even search engines.

It's impressive that Chrome detected CNBC's technique and blocked the click. Clickjacking could become a serious issue and I've lost a lot of trust in CNBC.  If you're participating in this practice, it may be best to stop -- the browsers are on to you.

Recent Features

  • By
    6 Things You Didn&#8217;t Know About Firefox OS

    Firefox OS is all over the tech news and for good reason:  Mozilla's finally given web developers the platform that they need to create apps the way they've been creating them for years -- with CSS, HTML, and JavaScript.  Firefox OS has been rapidly improving...

  • By
    Chris Coyier&#8217;s Favorite CodePen Demos

    David asked me if I'd be up for a guest post picking out some of my favorite Pens from CodePen. A daunting task! There are so many! I managed to pick a few though that have blown me away over the past few months. If you...

Incredible Demos

  • By
    Image Reflection with jQuery and MooTools

    One subtle detail that can make a big difference on any web design is the use of image reflections. Using them too often can become obnoxious but using reflections on large, "masthead" images is a classy enhancement. Unfortunately creating image reflections within your...

  • By
    HTML5 Context Menus

    One of the hidden gems within the HTML5 spec is context menus. The HTML5 context menu spec allows developers to create custom context menus for given blocks within simple menu and menuitem elements. The menu information lives right within the page so...


  1. Couldn’t agree more Dave, there are numerous other “methods” if the site owner wanted to utilise some form of redirect – this is insidious at best! One wonders what it would do to the ranking of a page once Google starts investigating the validity of these “links” – even CNBC might not be safe from some finger wagging by the Search Engines…

  2. MzJS

    Well, Google does this on the search results themselves, so does that count? It is especially annoying if you want to copy a search result via “copy link address” or similar. Same for OneDrive.

  3. Matt

    It seems even more shocking that you had any trust in CNBC. Not surprised.

    • “more shocking”…”not surprised”….I’m lost on what you’re trying to say.

    • Eliseu


  4. I’ve not seen it knowingly done by a site owner. But I have been spending the past few nights rebuilding my Dad’s Windows PC, remotely because it was riddled with Adware and Malware which was Clickjacking links all over the place.
    Even going to Microsoft OneDrive to install it to back his documents up was an ordeal. 75% of the time the link to “download” got clickjacked, and sent me off to a half convincing looking facsimile of the OneDrive download site.
    This happened to almost any “call to action” on any site, and was affecting Chrome and IE (his PC was so slow, I had no patience to download any other browsers for testing)

    It’s a worrying thing, that I hope browser vendors have a plan for, as my Dad was falling for them every time.

  5. MaxArt

    Sneaky scoundrels! o_O
    And this is from CNBC, not some wAre2 site… Oh, come on! D:
    I wonder if Chrome would be able to catch it if the action was done on mouseover rather than mousedown.

  6. Fredrik

    It is really annoying that so many sites requires JS to work. I can understand that it would be nice to have some JS to enable slideshows or whatever, but JS to even read a plain text? Come on!

  7. I’ve seen something similar at work this week from [popular company in my industry] and its frustrating to see how intrusive web advertisements can be. We should want to put creativity into what we do, but not to the point that we try to outsmart security features and search engines which already suppress virtually similar behaviors. I’m an enterprise dev, and the most successful argument I’ve ever used to not do something like this is “X browser prevents this because Y”. Where I work, every feature I make already has the requirement of needing to work in all of the browsers we support, so this argument is usually sufficient.

  8. Never trust the Big Green Download button! looks for a tiny little invisible download link that is impossible to find!

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!