2. 程式人生 > >Security risk for opening new tabs or windows

Security risk for opening new tabs or windows

阿新 發佈:2018-12-09

Background

Today eslint reports an error when I introduce eslint-plugin-react

error  Using target="_blank" without rel="noopener noreferrer" is a security risk: see https://mathiasbynens.github.io/rel-noopener  react/jsx-no-target-blank

Why

Opening a new tab/window, either by hyperlinks (i.e <a> tag with target attribute set to _blank

) or programmatically calling window.open, will grant the newly-opened tab/window access back to the originating tab/window via window.opener. Therefore, the newly opened tab/window can then change the window.opener.location to redirect to the phishing page in the background, or execute some JavaScript on the opener-page on your behalf.

How to fix

Add rel="noopenner" to outgoing links. E.g.

<a href="https://abc.com" target="_blank" rel="noopener">
window.open('https://abc.com', 'security', 'noopener');
  • Reset opener property

Note: this technique is subject to Same Origin Policy

let nw = window.open('https://abc.com', 'security');
nw.opener = null;

Reference

Notice

  • If you want to follow the latest news/articles for the series of my blogs, Please 「Watch」to Subscribe.

相關推薦

Security risk for opening new tabs or windows

Background Today eslint reports an error when I introduce eslint-plugin-react error Using target="_blank" without rel="noopener nore

WCF : 修復 Security settings for this service require Windows Authentication but it is not enabled for the IIS application that ho

摘要 : 最近遇到了一個奇怪的 WCF 安全配置問題, WCF Service 上面配置了Windows Authentication. IIS上也啟用了 Windows Authentication, 但是仍然出現IIS沒有啟用Windows Authentication的問題. 在網路上能查到的資料很少.

分配一維動態數組or 二維動態數組的方法以及學習 new 方法or vector

bsp 不能 存儲空間 hot i++ num 數組 stream span 先來個開胃菜 1 // 使用new動態分配存儲空間 2 3 #include<iostream> 4 using std::cout; 5 6 int main()

[jnhs]使用netbeans生成的webapp釋出到tomcat是需要改名字的,不然就是404Description The origin server did not find a current representation for the target resource or is not

   第一次使用tomcat釋出webapp 遇到404錯誤  Description The origin server did not find a current representation for the target resource or is not will

E212: Can't open file for writing Press ENTER or type command to continue

E212: Can't open file for writing Press ENTER or type command to continue  出現這個錯誤的原因可能有兩個:  1.當前使用者的許可權不足  2.此檔案可能正被其他程式或使用者使用。  一般

Installing OpenSSH from the Settings UI on Windows Server 2019 or Windows 10 1809

Installing OpenSSH from the Settings UI on Windows Server 2019 or Windows 10 1809 OpenSSH client and server are installable features of Windows 10 1809.

the right pose to design a security system for sign up

引子 最近有個虛擬練習專案,涉及到系統安全保障的設計,於是對安全保障這塊做了一些更深入的瞭解。發現了很多有趣的東西,開闊了眼界。中間查了一些資料,於是我打算重新整理,用更加循序漸進,大家都能懂的方式,說一說如何設計一個安全的系統。 著名的安全事件 首先來看看最近幾年比較著名

Application Security Musts for every iOS App

Application Security Musts for every iOS AppApplication security is one of the most important aspects of software development.Users of our apps expect that

About Me For A New Job

寫在前面的話 最近剛離職,準備找工作,雖在計劃之內,但稍微有點突然,因為理想的Ruby/Rails開發/技術棧還沒有準備成熟,更沒有像樣的作品可以拿出來秀秀。儘管如此,生活繼續,工作也將繼續,於是有了這篇求職帖。 出於對技術和分享的熱情,自2012年10月在Linode維護了一個獨立部落格(基於

flink1.7 之安裝使用centos 7 or windows 10(一)

1.centos 7安裝使用 所需要的環境 環境名稱 下載地址 netcat https://eternallybored.org/misc/netcat/ jdk8 http://

關於linux Or Windows執行jar包 Invalid or corrupt jarfile以及class檔案notfound

第一個: Invalid or corrupt jarfile XXXX.jar這個原因提示了,是因為你打的包檔案不全,如果你用壓縮工具檢視完整的jar包的話,你會發現jar檔案裡缺少內容,在我這裡就是缺少了清單檔案,看我下面的圖META-INF資料夾裡的檔案MANIFEST

使用Microsoft RDC for Mac在Mac和Windows間傳檔案

下面介紹如何使用Microsoft Remote Desktop Connection Client for Mac在Mac和Windows間傳送檔案 1、開啟RDC連線遠端桌面,點選首選項 2、

Ask HN: How do you manage a security policy for your small team?

My company is a small team operating in the digital health space that's recently grown to 12 in the past year. Although we don't deal with a ton of PHI, s

time translations for 13 new languages | AITopics

Google announced this week that its Translate app for iOS and Android recognize 13 new languages through your smartphone's camera. The update, which includ

Skill Up Your Career For The New AI Economy

A few years ago I had written an article about how technology is literally obliterating jobs and how to skill yourself up for this new economy. In this art

Exponential Altruism: A Strategy for a New World

Our world faces multiple global crises that are growing in both severity and urgency. These are not limited to a climate and ecological catastrophe¹, a wor

Reolink Argus Pro review: a completely wireless indoor/outdoor security camera for modest budgets

Reolink has effectively filled a void with its Argus line of affordable, no-frills, wireless indoor/outdoor security cameras. The Argus Pro is its latest o

Ask HN: What topics/subjects are worth learning for a new software engineer?

Not the person you're replying to, but I'll share one of my favorites:Given an address such as "123 Main St, Boston, MA 00215", break it up into its compon

Evaluating PlaidML and GPU Support for Deep Learning on a Windows 10 Notebook

Evaluating PlaidML and GPU Support for Deep Learning on a Windows 10 NotebookFigure 1. PlaidML Logo.PlaidML is a deep learning software platform which enab

The best Course to Learn Spring Security 5 for Experienced Java Developers

If you are a Java Spring developer and working with Spring Security then you may be familiar with the "Learn Spring Security" course by Eugen Paraschiv of