Window.open() and target=”_blank” have a security vulnerability
source link: http://www.js-craft.io/blog/window-open-and-target_blank-have-a-security-vulnerability/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Window.open() and target=”_blank” have a security vulnerability
We often use the HTML target="_blank" or the Javascript window.open() to open pages in new tabs.
// in html
<a href="www.google.com" target="_blank">open google</a>
// in javascript
window.open("www.google.com")
But when the newly opened pages are pointing to a site that we don't know we are opened to a phishing vulnerability. The new page gains some partial access to the linking page with the window.opener
object.
For example, it can use the window.opener.location
to point the user of the initial page to a fake phishing site that mimics the looks of the original and do all kinds of nasty stuff. This can be very efficient given that the user trusts the page that is already opened.
In order to prevent this we can:
- in HTML use the
rel="noopener noreferrer"
withtarget="_blank"
<a href="someLink.com" target="_blank" rel="noopener noreferrer">
open securely in a new tab
</a>
- in Javascript be sure to reset the "opener" property
const newWindow = window.open("someLink.com");
newWindow.opener = null;
I hope you have enjoyed this article and if you would like to get more articles about React and frontend development you can always sign up for my email list.
Newsletter subscribe:
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK