> I think I have an answer: imagine if you have a "My bank" link in a site you > don't completely trust, you check in your statusbar if the URL is trustful > (i.e. address =http://www.mybank.com) and you think it is. But when you > click, there's a JS that changes the URL and redirects you on a phishing > site; you trusted the link, why can't you trust the site? You can imagine > the rest...
That is a change of site link - we are talking about only allowing a URL change on the SAME site. Like, mybank.com to mybank.com/page1.html not mybank.com to evilsite.com
