> Speaking of which, is there any way to disable or bypass that kind of crap?
If you have JavaScript disabled, or these particular event handlers somehow blocked, the href is never replaced.
> Javascript is allowed to manipulate the status bar
That's disabled by default in most browsers (see in FF about:config, dom.disable_window_status_change -> true). Look at the mousedown handler of links to see that the href attribute is changed on mousedown.
The problem is blocking google.com javascript will also block recaptcha on any domains that use it (a lot do), which they ever so helpfully moved from recaptcha.org to google.com.
The href attribute is still changed. While javascript can't change the status bar explicitly any more, they can set the link's href to the fake URL and change the link's target in the click event.
If you have JavaScript disabled, or these particular event handlers somehow blocked, the href is never replaced.
> Javascript is allowed to manipulate the status bar
That's disabled by default in most browsers (see in FF about:config, dom.disable_window_status_change -> true). Look at the mousedown handler of links to see that the href attribute is changed on mousedown.