Noopener

Do you know what the biggest dread of a malicious stand up comedian is? That you have noopnener! BADA-PISH

I saw a recommendation today to put "noopener" in _blank links (links that open in new pages).

These links:

<a href="https://www.example.com" target="_blank">Link text</a>

It's a really old security weakness, and when I saw the demo page, I remembered reading about it previosly.

Here's the thing: When a link opens in a new tab or window, that new tab or window has access to the location (the content of the adresse bar) of the page that linked to it. So it can change the location/URL and thereby the content of the page, and for instance send the user to a phishing page.

Here's a demo

You could do the same with a page that doesn't open in a new tab or window by altering the history so the back button. If you click "back" it would go to a phishing page.

A difference is that _blank lets the new tab or window constantly monitor what pages you visit in the first tab or window: If you click on a link in tab A that opens in a new tab (B), then tab B can monitor all the pages you visit in tab A. If you log in and have sensitive data in the URL, the other tab could catch this. It has access to the adressebar of tab A for as long as they are both open - no matter what domain or site you visit in tab A.

By having noopener and noreferrer (for older browsers) in the rel tags of the _blank links, tab B wont have access to the location that is currently displayed in tab A.

<a rel="noopener noreferrer" href="https://www.example.com" target="_blank">Link text</a>

So far Safari and webkit has been doing som work to make noopener the default behaviour, so that instead you have to set an opener value to let tab B have access to the location og tab A.

31.01.2019