Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2020-05-05 05:25:38

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 8,152
Website

Unsafe use of target blank

Developers have been frequently using this attribute to open a new webpage. But this attribute, though looks pretty simple, can create a major security threat to your application.
The threat associated is called Reverse Tabnabbing. The issue is the webpage that we are linking our existing page to gains a partial access to the linking page, or in other words, the target page or url gains a partial access to our parent page from where the user is redirected to a new url. hackernoon.com/unsafe-use-of-target_blank-39413ycf


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | NeMe @ github | Covid-19; a resource
I do my best editing after I click on the submit button.

Offline

#2 2020-05-05 06:59:45

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,038
Website

Re: Unsafe use of target blank

That short article mentions rel="noopener" to mitigate the issue. I think that it is now the default on at least Safari (and Firefox ?), see Mathias‘ note.


Where is that emoji for a solar powered submarine when you need it ?

Offline

#3 2020-05-05 08:21:44

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 8,152
Website

Re: Unsafe use of target blank

phiw13 wrote #322851:

That short article mentions rel="noopener" to mitigate the issue. I think that it is now the default on at least Safari (and Firefox ?), see Mathias‘ note.

I have no idea but I think that the noopener noreferrer are not semantically correct. In websites where there is some kind of an auditing webmaster, I would think that external would be a more precise description.


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | NeMe @ github | Covid-19; a resource
I do my best editing after I click on the submit button.

Offline

#4 2020-05-05 08:37:43

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,038
Website

Re: Unsafe use of target blank

colak wrote #322853:

I have no idea but I think that the noopener noreferrer are not semantically correct. In websites where there is some kind of an auditing webmaster, I would think that external would be a more precise description.

Those are two different things – external tells the current page: “ the target of this link is outside of this website”. the noopener tells the browser “ the target of this link is not allowed to know where the user comes from”

There is nothing that prevents you from doing rel=noopener noreferrer external.


Where is that emoji for a solar powered submarine when you need it ?

Offline

#5 2020-05-05 08:49:31

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 8,152
Website

Re: Unsafe use of target blank

phiw13 wrote #322855:

Those are two different things – external tells the current page: “ the target of this link is outside of this website”. the noopener tells the browser “ the target of this link is not allowed to know where the user comes from”

There is nothing that prevents you from doing rel=noopener noreferrer external.

Indeed but the target page will not know the site linking to them.


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | NeMe @ github | Covid-19; a resource
I do my best editing after I click on the submit button.

Offline

#6 2020-05-05 09:07:48

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 9,637
Website

Re: Unsafe use of target blank

Interesting. Is there anywhere in core this affects? Or do we inherently trust all the external links we follow?


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#7 2020-05-05 09:33:47

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,038
Website

Re: Unsafe use of target blank

colak wrote #322856:

Indeed but the target page will not know the site linking to them.

You can drop the noreferrer and still have the security benefits of noopener. And then, is it not what you want, when you note that target=blank is (potentially) unsafe?

Bloke wrote #322857:

Interesting. Is there anywhere in core this affects? Or do we inherently trust all the external links we follow?

Afaik all links that use target=_blank also the rel=noopener attribute. But links to external sites set by the user, that is another matter. Are the links set on the Links Panel ever linkified in core/admin side ? I don’t think so.


Where is that emoji for a solar powered submarine when you need it ?

Offline

#8 2020-05-05 09:43:42

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 8,152
Website

Re: Unsafe use of target blank

Bloke wrote #322857:

Interesting. Is there anywhere in core this affects? Or do we inherently trust all the external links we follow?

I think that the only 2 links with _blank are the textpattern site and the actual home page of the installation. The home page has rel="noopener" but we may need to change it to rel="noopener noreferrer". The link to txp only has rel="external", but I trust you guys:)

The problem may be within the plugins pane where the urls only have rel="external". In my install, I still have some old plugins, where the authors’ sites return various errors. The rss_admin_db_manager for example still links to Rob’s site which, for some time now, returns a 502.

I am all for linking to the authors sites, but we may have to make that safer, especially from the back end, as urls, often change hands.


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | NeMe @ github | Covid-19; a resource
I do my best editing after I click on the submit button.

Offline

#9 2020-05-05 10:34:53

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 9,637
Website

Re: Unsafe use of target blank

Good point about links to author sites. That’s the same on the Themes panel. I’m not so fussed about the referrer as we don’t target older browsers anyway, but we could probably do as well to include noopener on those external links.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#10 2020-05-05 15:18:26

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 8,152
Website

Re: Unsafe use of target blank

phiw13 wrote #322858:

You can drop the noreferrer and still have the security benefits of noopener. And then, is it not what you want, when you note that target=blank is (potentially) unsafe?

You are right there and it is easy to implement as I have a short tag for all external links:)


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | NeMe @ github | Covid-19; a resource
I do my best editing after I click on the submit button.

Offline

Board footer

Powered by FluxBB