Hide the Target URL of a Link in Status Bar

There are some instances where you have redirect the user through one page to get them to another page. There is a way to do this stealthily - without letting the user know that there was a redirect. Yes - it sounds evil - but it don't have to be. Say you have a click tracking software - you have to track each click the users make. To do that you need a redirecting page what will track the clicks. Hopefully, the following illustration will make things clearer...

Current Page
->
Page with the click counter
->
Destination Page

You don't want the user to see that you are passing through the middle page. Usually, the URL will flash in the address bar for just a second(or less) - so we don't have to worry about that. We just have to prevent the URL from appearing in the status bar when the user hovers over the link.

There are three methods to do this...

Changing Status Text

This is the old method. This uses the window.status property to show a different URL to the user. Simple and easy method - but it rarely works now a days. This method has been abused by malicious sites a lot - so most browsers have disable this option. In Firefox, you can find that option at Tools -> Preferences -> Content -> Enable Javascript(click on the 'Advanced' Button) -> Change status bar text. If that's checked, you can use window.status to change the status bar text. But its disabled by default.

But if you still want to use this method(not recommended), this is how to do it...

<a href="click_counter.php?redirect_to=http://www.google.com/" 
	onmouseover="window.status='http://www.google.com/';return true;" 
	onmouseout="window.status='';">Go To Google</a>

Hijacking Click Event

In this method, when the user clicks on the link, the script captures the click event and stops it. This will prevent the browser from opening up the target page. Then we use location.href to go to the new page. Sample code below...

HTML Code

<a href="http://www.google.com/" id="google-link">Go To Google</a>

Javascript Code

<script type="text/javascript">
function init()  {
	document.getElementById("google-link").onclick=function(e) {
		e=e||window.event;
		stopEvent(e);
		location.href="click_counter.php?redirect_to=http://www.google.com/";
		return false;
	}
}
window.onload=init;
</script>

Ajax Method

This is for all you web 2.0 fans. Ajax method simply makes a call to the counter server side script on the click event. This is perhaps the best method of all - as the counter URL doesn't appear at all. Needless to say, the server side script used here will be different from the one used in the other methods - there is no redirection here. The code is very simple as well...

HTML Code

<a href="http://www.google.com/" id="google-link">Go To Google</a>

Javascript Code

<script type="text/javascript">
function init()  {
	document.getElementById("google-link").onclick=function(e) {
		jx("counter.php?url="+escape("http://www.google.com/")); //Use your favorite ajax library here.
	}
}
window.onload=init;
</script>

Comments

brain at 13 Jun, 2008 10:38
Thanks this is great tutorial I used this hah coool thank fnds
Reply to this.
fiber optical cabling at 24 Jun, 2008 06:50
About Redirect to other web address // html code --

html-lesson.blogspot.com/2008/06/redirect-to-web-addres.html
Reply to this.
Anonymous at 15 Jul, 2008 01:37
Isn't it a bad practice to override browser properties? The feature was included in the browser for a reason, and its not the developers place to remove that feature. Besides, modern browser have javascript security features which can override the removal of status bar text by default.

Regards,
~ Nathan
Reply to this.
Binny V A at 17 Jul, 2008 07:00
Yes its a very bad practice. I would not normally recommend doing it. So do this only if you know what you are doing.
Reply to this.
dedward.nrep at 02 Aug, 2008 09:00
I just switched over from firefox 2.0 to 3.0 and the first javascript was working fine in 2.0 but since the switch I have had no luck in hiding the url in the status bar. I was wondering whether the w3c has made any recommendations as far as that is concerned. A script that I found interesting was the one below but it also had no effect.

function hidestatus(){
window.status=''
return true
}
Reply to this.
Roshan at 12 Aug, 2008 09:35
Thanks for sharing this...nice post dude....
Reply to this.
Saeed at 30 Sep, 2008 01:09
Hi,

Thanks for these useful parts of codes. This is exactly what I was looking for.

Regrads,
Saeed.
Reply to this.
Martin at 09 Oct, 2008 12:57
I cant get the ajax method to work at all, using the www.openjs.com/scripts/jx/jx.js file I get a Permissions error, uncaught message, am I using the wrong file ?

Perhaps a use this and that tutorial would help ?
Reply to this.
Martin at 09 Oct, 2008 01:00
PS: I'm trying to hide my tracking link, upto its maxdest=http://someurl.com should this method work out for me ?

ck.php?oaparams=2__bannerid=32__zoneid=0__cb=96b39226f8__maxdest=http://someurl.com/
Reply to this.
Binny V A at 09 Oct, 2008 12:41
Are you trying to access a page on a different server? That should give you permission error.
Reply to this.
Anonymous at 09 Oct, 2008 01:48
yeah, is that the problem, the full link would point to my server ( from another server ), then redirect to the maxdest= as it registers a hit/click etc.. its a big long url as you can see, so I'm hunting to hide it somehow
Reply to this.
Nick FitzGerald at 15 Apr, 2009 10:07
Excellent -- by focusing on a specific technical issue as "the problem", you have just encouraged another generation of noobs to be spam, and other fraud such as phishing, enablers by implementing open redirectors. If you're going to use "implementing a redirector" as your raison d'etre for such a tutorial, at least implement a half-decent one. By ignoring the demands of a good redirector, you implemented a trivial, stupid, problem-enhancing one.

What's wrong with your redirector eample?

It breaks the three simple rules of a good redirector:

1. Do not put target URLs in the redirector URL parameters.

2. Do not put easily decoded target URLs in the redirector URL parameters.

3. In fact, do not put target URLs in the redirector URL parameters IN ANY FORM AT ALL.

Always use some kind of server-side lookup for the target URL based on an index in the redirector URL parameters and never allow arbitrary, client-side provided URLs to reflect through the redirector.

If you don't start by thinking about the security implications of what you are coding you will just pour out mindless, readily abusable crud over and over -- even MS won't employ folk like that now...

If you are implementing a redirector, please, at a minimum, carefully read the material linked from spamlinks.net/prevent-secure-redirect.htm
Reply to this.
Ramesh at 25 May, 2009 04:49
Hi..This piece of information is very useful…Could you please let me know how to hide URL in address bar. In which ever page the user is currently in, it should show the default page address as URL.
Reply to this.
unown xu at 21 Jun, 2009 09:33
LOL @the post above me.

now that? he's a noob skiddy phisher wannabe.
Reply to this.
tom3k at 23 Jun, 2009 11:18
completly useless...

the latest browsers (both and ie and ff) default to having this disabled...

also, this falls into the quite evil category... just think of all the security issues this brings up...

dont do it son, dont do it!
Reply to this.
fun at 03 Jul, 2009 05:20
not realy new tricks but still workin with firefox 3.0 and ie 8.0 :-)
Reply to this.
Comment

Please dont enter you comments in this form - this is a fake form to confuse spamming bots. The next form is the real one.




Comment




Comment Formating : HTML tags a, strong, em, b, i, code, pre, p and br allowed. Other tags will be shown as code(< will become &lt;). Urls, Line breaks will be auto-formated.