Comments (5)
Why this is bad
While example.com
is one of the domains reserved by IETF in 1999 for use as example, it resolves to an actual server, managed by IANA which serves a page over HTTP as well as HTTPS.
The domain DNS records are signed using DNSSEC, but it does not protect browsers from a Man-In-The-Middle attack since the page is served over HTTP in this case.
The page example.com
could then be replaced by a malevolent actor with a page that silently redirects to a slightly modified version of letsencrypt.com
for nefarious purpose.
from website.
The onclick
handler in index.html:11 is set to onclick="goog_report_conversion('http://example.com/your-link')"
, which should be changed to (probably) https://letsencrypt.org/getting-started/
.
from website.
The goog_report_conversion
function is defined in an inline script in index.html, which gives, after adding missing indentation at the end:
goog_report_conversion = function(url) {
goog_snippet_vars();
window.google_conversion_format = "3";
var opt = new Object();
opt.onload_callback = function() {
if (typeof(url) != 'undefined') {
window.location = url;
}
}
var conv_handler = window['google_trackConversion'];
if (typeof(conv_handler) == 'function') {
conv_handler(opt);
}
}
The function defines a callback function which is provided to window['google_trackConversion']
function as the property onload_callback
of an options object.
This is where the window location is modified, but only if a url
has been provided.
onload_callback = function() {
if (typeof(url) != 'undefined') {
window.location = url;
}
}
Thus, removing the parameter altogether should avoid the redirection.
from website.
Note: The snippet seems to come from this page, which describes different patterns of application:
- Add the code to a text link: the
onclick
handler is on the same<a>
element as thehref
- Add the code to a button: the
onclick
handler is set to a button, with or without ahref
attribute - Add the code to an image: the
onclick
handler is set to an image
In the Let's Encrypt home page, the onclick
handler has been set to a parent <div>
element, which contains a child <a>
with the target href
.
from website.
The same documentation page for the tracking snippet emphasizes that tracking on page load is the preferred method. The tracking on click is only advised in the case of links to 3rd party pages or to track actions that do not result in a page load (file download, phone call, etc.)
from website.
Related Issues (20)
- tls-alpn-01 IS supported by Apache
- Other Client Options for bash should list acme.sh first
- Add Karakalpak language to crowdin HOT 2
- Certificate for Widows 7?! HOT 1
- The Simplified Chinese glossary page displayed completely messed up HOT 2
- Add Tamil(தமிழ்) language to Crowdin HOT 5
- https://letsencrypt.org/.well-known/security.txt does not implement RFC9116 correctly HOT 2
- add documentation for CAA account and validation method binding HOT 2
- Automated integration with Crowdin HOT 7
- README.md has a wrong link to TRANSLATION.md (was: Update information about adding languages to layouts\_partial\langs.html in TRANSLATION.md) HOT 3
- Enhance "A Warm Welcome to ASN.1 and DER"
- Buttons "Get Started" and "Sponsor" on the homepage are too narrow for some languages, the text overlaps
- Obsolete translations - remove, keep or mix with English? HOT 9
- Hero section needs to be recreated. HOT 2
- RTL is broken HOT 1
- Please add to crowdin the possibility to translate the site into Belarusian language HOT 4
- "Thank you" page does not generate in translations HOT 4
- Translate `config/_default/*.toml` on Crowdin
- Header menu links to old DST X3 expiration info, not latest blog on cross-sign expiry
- JELDO.COM HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from website.