发表新帖
发表新帖

Link with target=“_blank” and rel=“noopener noreferrer” still vulnerable?

前端 未结
关注
4 1761
伪装坚强ぢ
伪装坚强ぢ 2020-11-28 23:41

I see people recommending that whenever one uses target=\"_blank\" in a link to open it in a different window, they should put rel=\"noopener noreferrer\"

相关标签:
4条回答
  • 一个人的身影
    2020-11-29 00:04

    You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

    Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).

    You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.

    0 讨论(0)
  • 北海茫月
    2020-11-29 00:12

    Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. This is known as reverse tabnapping:

    The referring page is stored in window.opener, and a malicious site could modify this through:

    if (window.opener) {
   window.opener.location = "https://phish.example.com";
}

    Adding rel="noopener noreferrer" fixes this vulnerability in all major browsers.

    Note that you could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.

    Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.

    0 讨论(0)
  • 执笔经年
    2020-11-29 00:17

    If developer console is showing warning regarding noopener noreferrer, make sure you add both noopener and noreferrer in rel. link should be something like below:

    <a href="www.google.com" target="_blank" rel="noopener noreferrer" />
    0 讨论(0)
  • 长发绾君心
    2020-11-29 00:19

    The anchor tag rel=”noopener” or rel=”noreferrer” attributes improve the website security, but some people want to ignore them because they think they will affect their website search engine optimization, but that is just a myth. It protects the confidentiality of your website audience and prevents external website by spreading malicious code.

    0 讨论(0)
 看不清?
提交回复
热议问题