Mailing List Archive

data-saferedirecturl WTF?
Can anyone point me to a reference document describing what the
"data-saferedirecturl" attribute on an <a> tag is supposed to be useful
for, and for bonus points any hints why it can't be trivially and
horribly abused by scammers?

Most of the search results I've turned up reference URL-munging observed
inside GMail, but clearly this is some broader HTML attribute or it
wouldn't be supported by mail clients.

As best I can tell it's a way to work around hiding the actual link
target address without using Javascript, and getting a bonus
tell-Google-where-you're-going if you click the link. The majority of
these I've come across bounce the link through Google Search because
Reasons, although some seem to be keen on abusing some other Google
redirector.

Unfortunately I'm also seeing these in legitimate mail, and the rule I
added locally a couple weeks ago for a subset of variations has
triggered a handful of FPs.

-kgd
Re: data-saferedirecturl WTF? [ In reply to ]
On 21 Apr 2021, at 11:45, Kris Deugau wrote:

> Can anyone point me to a reference document describing what the
> "data-saferedirecturl" attribute on an <a> tag is supposed to be
> useful for, and for bonus points any hints why it can't be trivially
> and horribly abused by scammers?
>
> Most of the search results I've turned up reference URL-munging
> observed inside GMail, but clearly this is some broader HTML attribute
> or it wouldn't be supported by mail clients.

What evidence do you have of it being "supported" by any non-Google mail
client?

> As best I can tell it's a way to work around hiding the actual link
> target address without using Javascript,

As best I can tell, the only way it serves any function is if you are
viewing the email in something that executes Javascript written to use
that attribute.

> and getting a bonus tell-Google-where-you're-going if you click the
> link. The majority of these I've come across bounce the link through
> Google Search because Reasons, although some seem to be keen on
> abusing some other Google redirector.
>
> Unfortunately I'm also seeing these in legitimate mail, and the rule I
> added locally a couple weeks ago for a subset of variations has
> triggered a handful of FPs.

I would not expect to see that attribute in any email that had not been
handled by Google.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire