To the contrary, there is an infinite number of uses. And this isn't a hole. This is HOW. JAVASCRIPT. WORKS. Period.
There seems to be a misperception that the URL you see on hover is 100% where you'll go if you click it. No. It's just representing the current state of the href. JS owns the DOM and its interactions. If it wants to intercept a click and rewrite an href or do an e.preventDefault() or redirect with window.location, that is its prerogative. That is the power that it is intended to have. It is this power which makes the modern web work.
If we can't teach people to look at the location bar and check domain names and SSL-related colors and icons, we can't help them avoid phishing. Restricting what basic JS can do so that the possibly fictitious group of people who check the status bar on hover but don't check their location bar can be protected is a terrible, terrible idea.
There seems to be a misperception that the URL you see on hover is 100% where you'll go if you click it. No. It's just representing the current state of the href. JS owns the DOM and its interactions. If it wants to intercept a click and rewrite an href or do an e.preventDefault() or redirect with window.location, that is its prerogative. That is the power that it is intended to have. It is this power which makes the modern web work.
If we can't teach people to look at the location bar and check domain names and SSL-related colors and icons, we can't help them avoid phishing. Restricting what basic JS can do so that the possibly fictitious group of people who check the status bar on hover but don't check their location bar can be protected is a terrible, terrible idea.