K
KenWi11iams
I suggest that Microsoft Outlook be updated to recognize potential cross site
misdirecting links. It is very easy to send an email message that contains a
link displayed as http://www.mysite.com/ where the actual location of the web
page to be viewed is someplace completely different. This creates a
significant threat to the user and provides a simple means of cross site
request forgery.
A warning should be raised if an HTML formatted email message contains a
link and the displayed text contains a URL whose domain is different from the
domain of the actual link. Technically, if the text in an HTML “a†element
appears to contain an Internet domain that is different from the domain in
the href attribute, a warning should be displayed. The warning would not
apply if the viewed text of the link does not appear to contain a domain
name. Thus it would be alright to have the usual “click here†link format.
The warning would only occur if the displayed text looks like it contains a
domain name and then only if the domain is different from the actual link. A
warning would not be produced if the link text was www.mysite.com and the
link was to server47.mysite.com since the domains are identical even if the
servers are different.
Microsoft Outlook currently flags some email as potentially hazardous. The
same message should be attached to messages with differing link domains. The
links in these potentially hazardous messages should be disabled. It would
be advantageous if the Internet Explorer also flagged these potential threats.
----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.
http://www.microsoft.com/office/com...7e0c9a706&dg=microsoft.public.outlook.general
misdirecting links. It is very easy to send an email message that contains a
link displayed as http://www.mysite.com/ where the actual location of the web
page to be viewed is someplace completely different. This creates a
significant threat to the user and provides a simple means of cross site
request forgery.
A warning should be raised if an HTML formatted email message contains a
link and the displayed text contains a URL whose domain is different from the
domain of the actual link. Technically, if the text in an HTML “a†element
appears to contain an Internet domain that is different from the domain in
the href attribute, a warning should be displayed. The warning would not
apply if the viewed text of the link does not appear to contain a domain
name. Thus it would be alright to have the usual “click here†link format.
The warning would only occur if the displayed text looks like it contains a
domain name and then only if the domain is different from the actual link. A
warning would not be produced if the link text was www.mysite.com and the
link was to server47.mysite.com since the domains are identical even if the
servers are different.
Microsoft Outlook currently flags some email as potentially hazardous. The
same message should be attached to messages with differing link domains. The
links in these potentially hazardous messages should be disabled. It would
be advantageous if the Internet Explorer also flagged these potential threats.
----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.
http://www.microsoft.com/office/com...7e0c9a706&dg=microsoft.public.outlook.general