This repository has been archived by the owner on Dec 11, 2019. It is now read-only.
add rel="noopener" to all external links with target="_blank" #9743
Labels
Milestone
Comments
|
cc @kjozwiak |
8 tasks
dfperry5
pushed a commit
to dfperry5/browser-laptop
that referenced
this issue
Aug 18, 2017
To avoid tab-nabbing attacks, all external links with target='_blank' must have rel='noopener' Fix brave#9743
This was referenced Dec 20, 2017
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Test plan
#10290 (comment)
(reported by email by the folks at lgtm.com)
In general, cross-origin anchor elements with target="_blank" create a security risk as described in https://mathiasbynens.github.io/rel-noopener/. This is solved by adding
rel="noopener" to all links with target="_blank", which nulls the window.opener object.
I don't think this is currently exploitable in Brave because, based on experimentation, window.opener is automatically set to null when the opener is a
chrome-extension://URL. However this for defense in depth we should probably add rel="noopener" anyway.The text was updated successfully, but these errors were encountered: