Author: Daniel
Translator: Frontend Xiaozhi
Source: js-craft
There are dreams and dry goods. WeChat search [Great Move to the World] Follow this brushing wit who is still doing dishes in the early morning.
This article GitHub https://github.com/qq449245884/xiaozhi has been included, the first-line factory interview complete test sites, materials and my series of articles.
We often use HTML target="_blank"
or window.open()
to open a page in a new window.
// in html
<a href="www.google.com" target="_blank">open google</a>
// in javascript
window.open("www.google.com")
However, when the newly opened page points to a website we don't know, we will be exposed to the vulnerabilities of the phishing website. The new page window.opener
access to some parts of the linked page through the 061789d92469cb object.
For example, you can use window.opener.location
to point the user of the initial page to a fake phishing website that mimics the appearance of the original website and does all kinds of disgusting things. Given that the user trusts the page that has already been opened, this can be very effective.
To prevent this, we can:
rel="noopener
and target="_blank"
in HTML.
<a href="someLink.com" target="_blank" rel="noopener noreferrer">
open securely in a new tab
</a>
In Javascript, you must reset the opener
attribute:
const newWindow = window.open("someLink.com");
newWindow.opener = null;
Follow-up: It now appears that noreferrer is redundant, so noopener` should be sufficient for the use of HTML.
possible bugs that may exist after the 161789d9246a7f code is deployed cannot be known in real time. In order to solve these bugs afterwards, a lot of time was spent on log debugging. By the way, I would like to recommend a useful BUG monitoring tool Fundebug .
Original: http://www.js-caft.io/blog/window-open-and-target_blank-have-a-security-vulnerability/
comminicate
If you have dreams and dry goods, search for [Moving to the World] Follow this brushing wit who is still doing dishes in the early morning.
This article GitHub https://github.com/qq449245884/xiaozhi has been included, the first-line interview complete test site, information and my series of articles.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。