为了账号安全,请及时绑定邮箱和手机立即绑定

Security risk for opening new tabs or windows

标签:
JavaScript

Background

Today eslint reports an error when I introduce eslint-plugin-react

error  Using target="_blank" without rel="noopener noreferrer" is a security risk: see https://mathiasbynens.github.io/rel-noopener  react/jsx-no-target-blank

Why

Opening a new tab/window, either by hyperlinks (i.e <a> tag with target attribute set to _blank) or programmatically calling window.open, will grant the newly-opened tab/window access back to the originating tab/window via window.opener. Therefore, the newly opened tab/window can then change the window.opener.location to redirect to the phishing page in the background, or execute some JavaScript on the opener-page on your behalf.

How to fix

Add rel="noopenner" to outgoing links. E.g.

<a href="https://abc.com" target="_blank" rel="noopener">
window.open('https://abc.com', 'security', 'noopener');
  • Reset opener property

Note: this technique is subject to Same Origin Policy

let nw = window.open('https://abc.com', 'security');
nw.opener = null;

Reference

Notice

  • If you want to follow the latest news/articles for the series of my blogs, Please 「Watch」to Subscribe.



作者:不吃猫的鱼_zjh
链接:https://www.jianshu.com/p/8d3e10279251


点击查看更多内容
TA 点赞

若觉得本文不错,就分享一下吧!

评论

作者其他优质文章

正在加载中
  • 推荐
  • 评论
  • 收藏
  • 共同学习,写下你的评论
感谢您的支持,我会继续努力的~
扫码打赏,你说多少就多少
赞赏金额会直接到老师账户
支付方式
打开微信扫一扫,即可进行扫码打赏哦
今天注册有机会得

100积分直接送

付费专栏免费学

大额优惠券免费领

立即参与 放弃机会
意见反馈 帮助中心 APP下载
官方微信

举报

0/150
提交
取消