JS-0422 · Avoid `target='_blank'` attribute without `rel='noopener noreferrer'`

Avoid target='_blank' attribute without rel='noopener noreferrer' JS-0422

Security

Major

5 months ago — 5 months old

Using target="_blank" without rel="noreferrer" (which implies rel="noopener") is a security risk in older browsers: see https://mathiasbynens.github.io/rel-noopener/#recommendations

app/javascript/mastodon/components/timeline_hint.js

 6  <div className='timeline-hint'>
 7    <strong><FormattedMessage id='timeline_hint.remote_resource_not_displayed' defaultMessage='{resource} from other servers are not displayed.' values={{ resource }} /></strong>
 8    <br />
 9    <a href={url} target='_blank'><FormattedMessage id='account.browse_more_on_origin_server' defaultMessage='Browse more on the original profile' /></a>10  </div>
11);
12

Using target="_blank" without rel="noreferrer" (which implies rel="noopener") is a security risk in older browsers: see https://mathiasbynens.github.io/rel-noopener/#recommendations

app/javascript/mastodon/components/permalink.js

31    const { href, children, className, onInterceptClick, ...other } = this.props;
32
33    return (
34      <a target='_blank' href={href} onClick={this.handleClick} {...other} className={`permalink${className ? ' ' + className : ''}`}>35        {children}
36      </a>
37    );

Description

When creating a JSX element with a tag, it is often desired to have the link open in a new tab using the target='_blank' attribute. Using this attribute unaccompanied by rel='noreferrer', however, is a severe security vulnerability.

Using target='_blank' links grants the page we are linking to a partial access to the source page via the window.opener object.

The newly opened tab can then change the window.opener.location to some phishing page. Or execute some JavaScript on the opener page on their behalf. Since the users trust the page that is already opened, they won't get suspicious and this might result in a security risk.

Bad Practice

// Bad: Example 1
var Hello = <a target='_blank' href="http://example.com/"></a>

// Bad: Example 2
var Hello = <a target='_blank' href={dynamicLink}></a>

// Example 1
var Hello = <p target="_blank"></p>

// Example 2
var Hello = <a target="_blank" rel="noreferrer" href="http://example.com"></a>

// Example 3
var Hello = <a target="_blank" rel="noopener noreferrer" href="http://example.com"></a>

// Example 4
var Hello = <a target="_blank" href="relative/path/in/the/host"></a>

// Example 5
var Hello = <a target="_blank" href="/absolute/path/in/the/host"></a>

// Example 6
var Hello = <a></a>

magicstone-dev / ecko

Bad Practice

Recommended

References