Unsafe use of target blank

colak · 2020-05-05 05:25:38

Developers have been frequently using this attribute to open a new webpage. But this attribute, though looks pretty simple, can create a major security threat to your application.
The threat associated is called Reverse Tabnabbing. The issue is the webpage that we are linking our existing page to gains a partial access to the linking page, or in other words, the target page or url gains a partial access to our parent page from where the user is redirected to a new url. hackernoon.com/unsafe-use-of-target_blank-39413ycf

phiw13 · 2020-05-05 06:59:45

That short article mentions rel="noopener" to mitigate the issue. I think that it is now the default on at least Safari (and Firefox ?), see Mathias‘ note.

colak · 2020-05-05 08:21:44

phiw13 wrote #322851:

That short article mentions rel="noopener" to mitigate the issue. I think that it is now the default on at least Safari (and Firefox ?), see Mathias‘ note.

I have no idea but I think that the noopener noreferrer are not semantically correct. In websites where there is some kind of an auditing webmaster, I would think that external would be a more precise description.

phiw13 · 2020-05-05 08:37:43

colak wrote #322853:

I have no idea but I think that the noopener noreferrer are not semantically correct. In websites where there is some kind of an auditing webmaster, I would think that external would be a more precise description.

Those are two different things – external tells the current page: “ the target of this link is outside of this website”. the noopener tells the browser “ the target of this link is not allowed to know where the user comes from”

There is nothing that prevents you from doing rel=noopener noreferrer external.

colak · 2020-05-05 08:49:31

phiw13 wrote #322855:

Those are two different things – external tells the current page: “ the target of this link is outside of this website”. the noopener tells the browser “ the target of this link is not allowed to know where the user comes from”

There is nothing that prevents you from doing rel=noopener noreferrer external.

Indeed but the target page will not know the site linking to them.

Bloke · 2020-05-05 09:07:48

Interesting. Is there anywhere in core this affects? Or do we inherently trust all the external links we follow?

phiw13 · 2020-05-05 09:33:47

colak wrote #322856:

Indeed but the target page will not know the site linking to them.

You can drop the noreferrer and still have the security benefits of noopener. And then, is it not what you want, when you note that target=blank is (potentially) unsafe?

Bloke wrote #322857:

Interesting. Is there anywhere in core this affects? Or do we inherently trust all the external links we follow?

Afaik all links that use target=_blank also the rel=noopener attribute. But links to external sites set by the user, that is another matter. Are the links set on the Links Panel ever linkified in core/admin side ? I don’t think so.

colak · 2020-05-05 09:43:42

Bloke wrote #322857:

Interesting. Is there anywhere in core this affects? Or do we inherently trust all the external links we follow?

I think that the only 2 links with _blank are the textpattern site and the actual home page of the installation. The home page has rel="noopener" but we may need to change it to rel="noopener noreferrer". The link to txp only has rel="external", but I trust you guys:)

The problem may be within the plugins pane where the urls only have rel="external". In my install, I still have some old plugins, where the authors’ sites return various errors. The rss_admin_db_manager for example still links to Rob’s site which, for some time now, returns a 502.

I am all for linking to the authors sites, but we may have to make that safer, especially from the back end, as urls, often change hands.

Bloke · 2020-05-05 10:34:53

Good point about links to author sites. That’s the same on the Themes panel. I’m not so fussed about the referrer as we don’t target older browsers anyway, but we could probably do as well to include noopener on those external links.

colak · 2020-05-05 15:18:26

phiw13 wrote #322858:

You can drop the noreferrer and still have the security benefits of noopener. And then, is it not what you want, when you note that target=blank is (potentially) unsafe?

You are right there and it is easy to implement as I have a short tag for all external links:)

singaz · 2020-05-18 11:03:02

How to make a link with the target="_blank" using Textile?

How to make a link with the rel="noopener noreferrer external" using Textile?

<a rel="noopener noreferrer externa" target="_blank" href="https://site.com/link/">link to site</a>

Is it possible?

phiw13 · 2020-05-18 11:24:23

singaz wrote #323027:

How to make a link with the target="_blank" using Textile?

How to make a link with the rel="noopener noreferrer external" using Textile?

I don’t think it is directly possible. Yiannis (Colak) use a shortcode form, here

Textpattern CMS

Textpattern CMS support forum

#1 2020-05-05 05:25:38