92 likes
路
3.7K reads
15 comments
Really great read, thanks for sharing!
Thanks 馃檹
Great post, though I don't understand why this is the default behaviour of browsers. Instead noopener
should be default and we could add rel="opener"
.
noopener
ensures every tab runs in a separate process. Your browser would start crashing if you open too many tabs on slower systems. Hence, it's not the default option.
Hey @emilmoe Thanks 馃檹
You can follow the discussion in github.com/whatwg/html/issues/4078 to get more insights.
Bookmarked!
Thanks 馃檹
Well explained, I actually should make more use of this, it's such a default security standard, but wel overlooked.
Just out of curiosity, does anyone know an actual script that will bogus the request with not having this in place?
Thanks 馃檹.
What do you mean by "bogus the request" ?
Bhanu Teja Pachipulusu What would be an example of a hijack of a URL that doesn't use the noopener
It can be as simple as redirecting the old tab to some other fake site by setting window.opener.location.href
. If the redirected site looks close enough to original site and asks user to login again, the unsuspecting user thinks that he got logged out and may enter login credentials.
Oh... May be you meant an actual website which is making use of this attack 馃槀. If so, i don't know of any such site, we have to wait for someone else to answer it.
Bhanu Teja Pachipulusu No this is perfect, makes sense so basicly the referal is injecting your original site with a clone.
Just always curious to see how these attacks work. Might set up an extreme sample to test haha.
Daily Dev Tips Please do share that site with us when you set it up to test. Will add that to the links. 馃榿