Now this didn't raise concern for me at all, were it not for the knowledge that the destination url is a "friendly." Even though it says evil, it is a site that hosts various proof-of-concept codes. So perhaps this was a prank after all that caught me a bit surprised, or an unintentional bug that had been overlooked, but now eventually exposed.
The browser has a little known feature that can block automatic page redirects or reloads. In its original incarnation, it was deemed merely as an "...accessibility feature." But it is not surprisping if prominent events in the news invite attacks such as this and this.
Such feature can be a first line of defense against attacks that redirect to drive-by malware downloads and masquerading pages that trick users to infect their system. This feature is known as the "Warn me when sites try to redirect or relaod the page" option, falling under the advanced section, general tab, accessibility subsection of the browser options.
In its current state, it falls short in several points, which should have made it more a security measure than an accessibility feature:
1.) It fails to distinguish between redirection to another page within the same domain, or redirection to another page from a different domain. Moreover, this is further amplified as the info bar that appears does not indicate the url that the redirect points to. This is essential as it determines if one is to allow the redirect to occur depending upon the destination page, irrespective of its destination domain.
2.) It fails to block all known redirection techniques, as expemplified by the aformentioned prank. I do not claim to know all redirection techniques, but I can offer up another test case in which it fails to notify of the redirect, such as this.
Leaving the current implementation behind, perhaps NoScript can bank on the former's shortcomings and provide a security-oriented approach.
I know NS already has an implementation in place, but only works for untrusted sites. It would be nice if this redirection blocker can be elevated as a general-purpose utility that can protect against all known redirection techniques, whether by javascript or html headers, that is active for all sites.
And perhaps NS can go a little further by offering options such as to allow same domain redirections to occur, or to notify against automatic page reloads. Of course when the implementation is ripe, then adding features like whitelisting would be like putting cream on top.
NoScript is more than a javascript whitelisting add-on, it has been a security device that is a MUST for every Gecko-based browsers, and even for all browsers if they can support its implementation for that matter. Even if allowing all scripts to run globally, it has several other indespensable features that make your browser, as the tag line says, "...really safer..."
Just sharing my thoughts
/m
