Reputation: 4964
Link with target="_blank" and rel="noopener noreferrer" still vulnerable?
I see people recommending that whenever one uses target="_blank" in a link to open it in a different window, they should put rel="noopener noreferrer". I wonder how does this prevent me from using Developer Tools in Chrome, for example, and removing the rel attribute. Then clicking the link...
Is that an easy way to still keep the vulnerability?
Upvotes: 353
Views: 374828
Answers (7)
Reputation: 18649
You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).
You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.
Update as of 2021: All current versions of major browsers now automatically use the behavior of rel="noopener" for any target="_blank" link, nullifying this issue. See more at chromestatus.com.
Upvotes: 472
Reputation: 1343
There's no answer pointing out a case when you would actually want to pass referrer just ignoring any "security risk" warnings: for instance, when you are linking your own external website, which is controlled by you/your org and which presumably has no described security vulnerabilities.
For instance, in my case, in I want to see in Google Analytics how many of my visitors read docs by clicking links inside the web app (which uses a separate domain from where docs are) and how many come from search engines, and hence I want to utilize the referrer header for distinguishing these user groups.
Here's how you can do it when linking websites like your own docs that are safe for sure:
{/* Safe link to the own website *//* eslint-disable-next-line react/jsx-no-target-blank */}
<a href="https://my-own-website.com" target="_blank">
Learn more
</a>
In React, I made a wrapper common component to avoid putting eslint-disable everywhere in the code (an opposite to UnsafeExternalLink component):
import React, { ReactNode } from 'react';
/* eslint-disable react/jsx-no-target-blank */
/**
* Safe link to own external websites only.
*/
const SafeExternalLink = ({
href,
children,
}: {
href: string;
children: ReactNode;
}) => (
<a href={href} target="_blank">
{children}
</a>
);
export default SafeExternalLink;
Upvotes: 7
Reputation: 5418
Browsers fix
All major browsers have fixed this issue by updating the default behaviour to be secure without having to specify rel property. Read more in About rel=noopener.
- Chrome fixed it at v88
- Safari fixed it in 2016!
- Firefox fixed it at v52
- New Edge is Chromium based, so fixed too
Upvotes: 61
Reputation: 17428
Regarding the Lighthouse Best Practices audits report:
Add
rel="noopener"orrel="noreferrer"to any external links to improve performance and prevent security vulnerabilities.
In general, when you use target="_blank", always add rel="noopener" or rel="noreferrer":
For example:
<a href="https://www.kaiostech.com/store/" target="_blank" rel="noreferrer">
KaiStore
</a>
rel="noopener"prevents the new page from being able to access thewindow.openerproperty and ensures it runs in a separate process.rel="noreferrer"has the same effect but also prevents theRefererheader from being sent to the new page.
See the official document for more information.
Upvotes: 35
Reputation: 8736
If developer console is showing warning regarding noopener noreferrer, make sure you add both noopener and noreferrer in rel. link should be something like below:
<a href="www.google.com" target="_blank" rel="noopener noreferrer" />
Upvotes: 0
Reputation: 453
The anchor tag rel=”noopener” or rel=”noreferrer” attributes improve the website security, but some people want to ignore them because they think they will affect their website search engine optimization, but that is just a myth.
It protects the confidentiality of your website audience and prevents external website by spreading malicious code.
Upvotes: 4
Reputation: 42304
Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. This is known as reverse tabnapping:
The referring page is stored in window.opener, and a malicious site could modify this through:
if (window.opener) {
window.opener.location = "https://phish.example.com";
}
Adding rel="noopener noreferrer" fixes this vulnerability in all major browsers.
Note that you could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.
Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.
Upvotes: 145
Related Questions
- Why people use `rel="noopener noreferrer"` instead of just `rel="noreferrer"`
- Target="_blank" vs window.open
- How can I avoid vulnerability with target="_blank" in a hyperlink?
- Why is 'noreferrer' not working on links?
- Using rel="noopener" in window.open()
- Why do links with rel="noopener noreferrer" always open in a new tab?
- Do I need to put rel="noopener" to each target="blank" even if the pointed website is from my own site?
- mailto in href: should I add rel noopener,noreferrer?
- Can noopener and noreferrer attributes be used with the target attribute?
- Can an HTML anchor link explicitly require that a secure tab be opened?