0

Is it possible to hide an href value from the browser, but keep it working?

<a href="tel: 0044005" onclick="finalnumber" onmouseover="hidden">
Fernando Souza
  • 1,748
  • 1
  • 20
  • 36
  • I am afraid that when the mouse is over the link, the browser has to say *something*. – Diogenis Siganos Jul 29 '21 at 10:01
  • But there are other ways of achieving the link leading to where you want it to without `tel: 0044005` being shown – Diogenis Siganos Jul 29 '21 at 10:03
  • You can have a bit of JavaScript do the redirection for you if you really want, i.e. put `javascript:my_redirection_function()` instead of your tel number in your `href` attribute (or more elaborate equivalents), but be aware that any bit of data that ends up on a web page can be seen by anyone with even a modest knowledge of web technologies. – kuroi neko Jul 29 '21 at 10:16
  • How that redirect would look like? – Fernando Souza Jul 29 '21 at 10:18
  • See [this](https://stackoverflow.com/a/54962986/2960823) for instance, but again, this is a terrible idea. Circumventing these childish "protections" is a piece of cake. Don't rely on them or you'll be sorry. Either design a truly secure interface, complete with cryptography and passwords, or don't do it. – kuroi neko Jul 29 '21 at 10:27

1 Answers1

1

The browser works for the user. It does not work for the developer of the website.

You cannot give something to the browser and keep it a secret from the user.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • You are right, the broeser is Trom! I guess I will have to change the strategy. Thanks. – Fernando Souza Jul 29 '21 at 10:17
  • 1
    Simply leave your sensitive data on the server and have **it** do the redirection. Anything that goes on a web page is public by default. – kuroi neko Jul 29 '21 at 10:51
  • @kuroineko It's a phone number that the client will call. There is no way to keep the phone number you want someone to call a secret. You can't keep it on the server and use redirect tricks to conceal it, it still has to end up in the user's phone app. (And any efforts to keep the number secret from the user is a terrible idea, they need to know what the number is so they can judge how much it will cost them on their phone bill!) – Quentin Jul 29 '21 at 10:53
  • I agree the example is not particularly relevant, but I was speaking in general. That kind of data should only be served in a session authenticated by a password. After which anything that ends up on the user's computer is indeed accessible by anyone around, and the user is left in charge of keeping the sensitive data away from prying eyes. – kuroi neko Jul 29 '21 at 11:00