I'm using this code to change the status bar of IE.
Google
But the problem is when i'm using a menu (links inside a div) it doesn't change anymore the status bar. Is there any way to fix it?
Most modern browsers allow the user to decide, if she wants the status bar being overwritable. If it is disabled (which is, I assume, the default in many browsers), you have no way to bypass this (other than finding a zero day exploit).
Here's an awesome solution
<a href="//./ Woo status bar" onclick="this.href='http://google.com'">
No, but really though - this practice this a little outdated. Users expect to be able to see the URL of the link they're about to click to ensure it is legit. If you want to give people more information about a link, encode it either in the paragraph (eg: "take a look at this big search engine or this up-and-coming one"), or use the title attribute on the link. The text you enter there will appear in a tooltip if the user hovers on the link.
onmouseover="window.status='Google';
works only for IE. It doesn't seem to work for FF. What browser are you testing it?
I suspect, this works in only IE but it won't work for other browsers.
Link 4
This worked for me on Chrome/IE(7/8)/FF.
Related
You know that text that appears in the bottom left of your browser when you mouseover a link? How do you change that?
I'm a competent programmer so I don't need a code sample or handholding, but a high level approach would be great.
Thanks!
In old browsers, you could set the property window.status to modify the text in the status bar. Because this holds serious security issues (the user could be tricked into clicking on a link which leads to another target), all modern browsers deactivated this feature.
This can be done with javascript :
onmouseover="window.status='TEXT HERE'"
You can try the window.status property, however this isn't used often anymore as most browsers now block the status bar text from being updated.
I've noticed for a very long time that when you try to copy a link location or open a link on Facebook, it modifies the link and passes it through l.php.
For example, I can be sent to
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.google.com%2F&h=DKVUritNDJDJLDLVbldoDLFKBLOD5dlfDJY_-d3fgDUaA9b
even though my browser render the link preview as http://www.google.com/.
Today, I took a closer look using Firebug and found that Facebook puts onmousedown="UntrustedLink.bootstrap($(this)[...] in the <a> tag. The second I right clicked the link, I saw the href attribute change in Firebug.
This worries me.
The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless. Isn't this a security risk? Can't phishing websites misuse this?
Why don't browsers prevent this behavior either by disallowing onmousedown to change the href or by running the javascript before reading the href attribute, so that I am sent to the location I thought I going to, not the one change while I was clicking it?
Edit: I want to briefly emphasize that what bothers me more than the risk of phishing is that users are being misled and it simply feels wrong to me that this can happen, whether by a trusted source or not.
I agree that there is potential here for phishing. This was reported as a bug in FireFox quite a long time ago, but the problem is this:
<body onmousedown="document.getElementById('changeMe').href='www.somewhereelse.com'">
<a id="changeMe" href="www.google.com">google</a>
</body>
Events bubble up to their parent, you would need to detect if an onmousedown event was going to change the href of a child element. Sounds reasonable? Okay, how about this:
<script>
function switcher() {
window.location = "www.somewhereelse.com";
return false;
}
</script>
<body onmousedown="switcher()">
google
</body>
So we need to look out for window.location in functions triggered by onmousedown events as well. Still sound reasonable? How about if I have the onmousedown event remove the link altogether, replace it with a new element and then trigger the click on that. I can keep coming up with examples.
The point is, Javascript can be used to misdirect people using the status bar - you shouldn't trust it, you can only trust the URL.
To change this browsers would need to give the set href value on a link at the time of the click presidency over any other events that might happen, basically disable mouse events on anchor tags. I would venture to guess they probably won't do this, it would break too many applications that already exist.
Edit: Alternatively, I've seen people propose different methods of detecting and warning the user about possible link hijacking, but I've not seen any implemented yet.
The advice many of us have given to less tech-savvy people (check where the link is taking you before you click so that you don't become a victim of phishing) now seems to have become useless.
If by "check" you mean the link 'preview' browsers show at the bottom status bar then you are correct. That is not enough to check whether a link really goes where it claims to be going. For instance, running the jquery script below on a page will cause all link to go to google.com regardless of what the actual href target of the link is:
$('a').click(function(evt){evt.preventDefault();window.location.href="http://google.com"})
Can't phishing websites misuse this?
Not really, because facebook is where the said javascript would have to be called from. The user has to go an untrusted source in the first place who would embed the javascript in the tag.
In my project I have a requirement where in I need to remove the addressbar for a pop up but retain the back,forward and refresh buttons on the tool bar. So the option toolbar=0 for the pop up does not work for me. I just want to remove the addressbar and nothing else from the browser pop up. Kindly help me with this.
You can try setting location=0 in the option string (see the Mozilla and Microsoft docs), but do note that most modern browsers will force the presence of the location bar anyway.
What browser are you testing in? Someone else chime in if I am wrong but I think Chrome will not let you remove the address bar.
I'm trying to find an elegant way to inform a user that s/he is about to be logged out and I know that most browsers will give you some indication that a hidden tab has an alert box open. I would like to duplicate this functionality without actually showing an alert box.
I have thought about forcing the tab/window to gain focus, but that is quite obtrusive and I hate it when websites do that to me, so I'm looking for something a little more subtle.
Any ideas?
Edit/Clarification: I already have a div that pops up if they are about to be logged out. My problem is that if they are on another tab, they won't be able to see that div, so I would like some way to notify the user that something important has happened on my tab so they go check it out and see the logout notice.
The favicon idea listed below is an excellent idea, any others?
Here's an interesting way that comes to mind. When its time to be logged out, change the website's favicon dynamically. Newer browsers should be ok with it.
Look here: Changing website favicon dynamically
Some techniques I've seen:
Some sort of sound that's played (I think it's done with Flash in the case I'm thinking of, but maybe it's possible with HTML5's audio tag)
Flashing/alternating favicon
Use JavaScript to change the page title tag every 2s or so
You could create a page that informs them they will be logged out in a certain amount of time with a button that would allow them to maintain their session. Or maybe you could use a lightbox modal popup window (example here).
Why not swap out a div styled how you want to change to let them know they will be logged out soon? Then, you can simply have it as a portion of your page with all the same style and formatting?
For example, your normal page has some sort of page element with visibility:block; and then before they will be logged out, you change that to visibility:none; and change your other element (in the same place) to have visibility:block;
Does this idea make sense? You have to be able to detect when this is happening with Javascript already to alert, so instead of altering you are just swapping out display elements.
I hope this is helpful,
-Brian J. Stinar-
it probably doesn't go with what you're after but a simple modal window is probably a good idea? i know it doesn't alert the user instantly, and they won't see it unless they switch back to that tab, but it's unobtrusive and i believe most users would prefer not to have something rammed in their face!
If this notification is to be triggered by a user clicking "log out" or the likes then they will see it and it won't be as intrusive as forcing them to stop what they are doing and close the alert box.
And if it's due to time out or something similar then the user isn't overly concedrned or they would still be on that tab.
I think that this serves the best purpose in terms of usability as people don't want to be hassled or have their workflow broken by an alert shoved at them! A perfect example is Microsoft TFS which would constantly throw alerts at you when you got signed out, which got really frustrating, really quickly
so my answer is think how the user would like to be notified in the least obtrusive way :-)
hi this is my first attempt at JavaScript:
the following function is used to display window status bar messages. it works fine on the local machine but when i upload it too the server the messages are not displayed at all.
what am i doing wrong? please help.
[website][link removed]
function displayMsg(msg){
window.status = msg;
}
what should happen is when you hover over the image it should display a message to click it and the image is then updated.
i saw this but if this is no longer possible then why does it work locally?
EDIT: thank you for your answer. i am wondering if it is possible to display a tooltip once the image over event happens? thanks,
EDIT: i have added a Title attribute and it seems to display a tooltip. what you are seeing would be most welcome input. thanks.
EDIT: Google Chrome works fine. Safari does not run javascript. im on win7.
window.status has been disabled in most (if not all) browsers for security reasons (it was possible to fake a different location for links that way).
See e.g. the MDC page on window.status:
This property does not work in default configuration of Firefox and some other browsers: setting window.status has no effect on the text displayed in the status bar. To allow scripts change the the status bar text, the user must set the dom.disable_window_status_change preference to false in the about:config screen.
it was also removed in IE 7.
As to why it works locally, I can't say. Maybe security restrictions are more relaxed there, although it's strange!