Jump to content

Target="_blank" a security risk


Recommended Posts

Hi my lords

We use Target="_blank" to open linked pages in a new tab or window. But there is a security risk we should aware of. The new tab gain limited access to the linking page via window.opener. which it can then use to alter the linking page's url via window.opener.location. this might be a problem if the external redource is not trustworthy. Might have been hacked, the domain has chamged owner over the years etc.

We should always add rel="noopener noreferrer" Attribute to all of our target="_blank" links. 

in order to prevent a link that is opened in a new tab from cousing any trouble.

 

 

Link to comment
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Similar Content

    • By Dexter_X
      Hi,
      How do I privately submit a security suggestion to help anti-spam registrations enhancement ?
      I don't want to make it public because spammers could use this information to go through the detection system.
      Thankyou for your attention,
      D
    • By kmk
      Hello, I don't know if there already implemented, but in my imagination it will works easy and so powerfull security for admin of a web.
      The scene suposed is, some admin (not the owner) want to delete intentionally or accedentally files, or settings,...anyway something cause dead damage to the website administration...will be fine if the owner alway have the last command to return actions started by anothers admins (not the owner), example, admin C delete my commerce app module....something like the Windows that let us Recovery from points registried. I know from Server admin, backup the dangerous scene can be under control, but how about if it come from IPS core security design? It will help me to avoid spend time in Server Administration, because as the platform try to sell us the idea, that we just need to focus in our content management and the tech management is a task for the platfom design. 
    • By Fast Lane!
      If a member hadn't logged in, in a long while, send them an email to alert them.  Just in case. 
    • By Adriano Faria
      This tiny plugin will change the Security Question field to a password field so others can't see its content.
      Note:
      Before you say that no one will see, the idea is the same from the password field. Me, for example, do videos recording all the time and I have to disable Security Questions for my group, otherwise it will appear in the video.
    • By Peter Drinkwater
      A couple of things that would solve the member email concerning not being able to register which are being created by the Security Questions setup. 
      Currently if someone selects the same question for 2 or more of the required questions they are returned to the registration page but there is no indicator what the issue was with the registration. 
      Some suggestions for improving this flow
      Properly flag the issue if the member is returned to the registration page Rather than pre-fill the question box with the first possible option to select from, pre-fill it with something like "----Select a Question---", a non-selectable option.  On questions 2+, either remove the question selected in the previous question(s) from the list of options or grey them out as options to select. 
×
×
  • Create New...