Do "target=_blank" links introduce a security leak on this page?

Permalink 0 0 Browser Info Environment
Using the target=_blank attribute is rarely recommended. Nevertheless, if you need to use this attribute, note that a security leak could cause harm to your visitors, particularly if your site is open to visitor contributions.

It allows the targeted page to manipulate the window.opener.location property, and thus to perform a redirect within the parent tab. When the user gets back to the parent tab, he can be facing a malicious website (phishing, etc).

We recommend you to add the rel=noreferrer attribute when using a target = _blank to an external website. This will block access to "window.opener".
If your website allows users to publish contributive content (eg comments, customer reviews, etc.), be sure to automate the addition of this protection. Otherwise, a user could easily exploit this breach.

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferr...


Social Links and other generated links could introduce rel=noreferrer tags.


Status: New
extensi

concrete5 Environment Information

8.2.1

Browser User-Agent String

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36