Sign in
Log inSign up
Bhanu Teja Pachipulusu

92 likes

3.7K reads

15 comments

Bolaji Ayodeji
Bolaji Ayodeji
Aug 19, 2020

Really great read, thanks for sharing!

2
1 reply
Bhanu Teja Pachipulusu
Bhanu Teja Pachipulusu
Author
Aug 19, 2020

Thanks 馃檹

1
Emil Moe
Emil Moe
Aug 19, 2020

Great post, though I don't understand why this is the default behaviour of browsers. Instead noopener should be default and we could add rel="opener".

2
2 replies
Fazle Rahman
Fazle Rahman
Aug 19, 2020

noopener ensures every tab runs in a separate process. Your browser would start crashing if you open too many tabs on slower systems. Hence, it's not the default option.

2
Bhanu Teja Pachipulusu
Bhanu Teja Pachipulusu
Author
Aug 19, 2020

Hey @emilmoe Thanks 馃檹

You can follow the discussion in github.com/whatwg/html/issues/4078 to get more insights.

1
Shad Mirza
Shad Mirza
Aug 18, 2020

Bookmarked!

1
1 reply
Bhanu Teja Pachipulusu
Bhanu Teja Pachipulusu
Author
Aug 18, 2020

Thanks 馃檹

1
Chris Bongers
Chris Bongers
Aug 19, 2020

Well explained, I actually should make more use of this, it's such a default security standard, but wel overlooked.

Just out of curiosity, does anyone know an actual script that will bogus the request with not having this in place?

1
6 replies
Bhanu Teja Pachipulusu
Bhanu Teja Pachipulusu
Author
Aug 19, 2020

Thanks 馃檹.

What do you mean by "bogus the request" ?

Chris Bongers
Chris Bongers
Aug 19, 2020

Bhanu Teja Pachipulusu What would be an example of a hijack of a URL that doesn't use the noopener

Bhanu Teja Pachipulusu
Bhanu Teja Pachipulusu
Author
Aug 19, 2020

Daily Dev Tips

It can be as simple as redirecting the old tab to some other fake site by setting window.opener.location.href. If the redirected site looks close enough to original site and asks user to login again, the unsuspecting user thinks that he got logged out and may enter login credentials.

1
Bhanu Teja Pachipulusu
Bhanu Teja Pachipulusu
Author
Aug 19, 2020

Oh... May be you meant an actual website which is making use of this attack 馃槀. If so, i don't know of any such site, we have to wait for someone else to answer it.

Chris Bongers
Chris Bongers
Aug 19, 2020

Bhanu Teja Pachipulusu No this is perfect, makes sense so basicly the referal is injecting your original site with a clone.

Just always curious to see how these attacks work. Might set up an extreme sample to test haha.

1
Bhanu Teja Pachipulusu
Bhanu Teja Pachipulusu
Author
Aug 19, 2020

Daily Dev Tips Please do share that site with us when you set it up to test. Will add that to the links. 馃榿