Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rel="noopener noreferrer" to target="_blank". #2071

Closed
EdOverflow opened this issue Mar 13, 2017 · 8 comments
Closed

Add rel="noopener noreferrer" to target="_blank". #2071

EdOverflow opened this issue Mar 13, 2017 · 8 comments
Assignees
@mojavelinux
Labels
enhancement
Milestone
v1.5.6

Comments

@EdOverflow
Copy link

EdOverflow commented Mar 13, 2017
edited
Loading

rel="noopener noreferrer" should be added to links containing target="_blank" as a precaution against reverse tabnabbing. For more information, please refer to the following article:
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

AsciiDoc: http://example.com[Link^]
HTML: <a href="http://example.com" target="_blank">Link</a>
Fix: <a href="http://example.com" target="_blank" rel="noopener noreferrer">Link</a>

attrs << %( target="#{node.attr 'window'}") if node.attr? 'window', nil, false
%(<a href="#{target}"#{attrs.join}>#{node.text}</a>)

Link to source code: https://github.com/asciidoctor/asciidoctor/blob/master/lib/asciidoctor/converter/html5.rb#L1033
@EdOverflow EdOverflow mentioned this issue Mar 13, 2017
Closed
@mojavelinux
Copy link
Member

Thank you for bringing this up for discussion. I now understand the vulnerability.

@hsablonniere what are your thoughts about this? Do you think we should add this if target is _blank? FWIW, Jake seems to like it. See https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/.

It seems like Firefox has fixed this problem in Firefox 52, so perhaps we don't need the exception for Firefox anymore. We can just go with rel="noopener".

@mojavelinux
Copy link
Member

Btw, I found this site by mathias to be very helpful in understand the issue. https://mathiasbynens.github.io/rel-noopener/

@hsablonniere
Copy link

Hey, I read mathias and Jake's article when they got out. This is very important. I would say 100% agree for noopener. I'm a bit less enthusiastic about noreferrer because of analytics but it seems to be the solution for old browsers right?

@EdOverflow
Copy link
Author

I'm a bit less enthusiastic about noreferrer because of analytics but it seems to be the solution for old browsers right?

Yep, that is correct.

@hsablonniere
Copy link

Then I would say, let's to this and put an attribute to opt-out.

@mojavelinux
Copy link
Member

I'm prepared to add rel="noopener", but I don't think we should add "noreferrer". Trying to cater to older browsers is futile because there are numerous other security exploits those browsers are susceptible to. If the user wants to be secure, then the user should be using the latest browser. The user can then expect that we do our part to protect them from our side. That's the contract.

mojavelinux added a commit to mojavelinux/asciidoctor that referenced this issue May 1, 2017
@mojavelinux
resolves asciidoctor#2071 add rel="noopener" to links that target _bl…
adbbcf1 
…ank or when noopener option is set
@mojavelinux
Copy link
Member

If the value of the window attribute is _blank, we'll automatically add rel="noopener". For any other value, you can set the noopener option to get the same behavior.

@mojavelinux mojavelinux added this to the v1.5.6 milestone May 1, 2017
@mojavelinux mojavelinux self-assigned this May 1, 2017
mojavelinux added a commit to mojavelinux/asciidoctor that referenced this issue May 2, 2017
@mojavelinux
resolves asciidoctor#2071 add rel="noopener" to links that target _bl…
a05987f 
…ank or when noopener option is set
@asciidoctor asciidoctor deleted a comment Oct 22, 2017
@dternyak dternyak mentioned this issue Dec 12, 2017
Closed
4 tasks
@cheapwebmonkey cheapwebmonkey mentioned this issue Jan 18, 2018
Open
@herman-rogers herman-rogers mentioned this issue Sep 10, 2018
Merged
@winsvold winsvold mentioned this issue Nov 29, 2018
Merged
jorundoa pushed a commit to navikt/modiapersonoversikt that referenced this issue Nov 29, 2018
Legger til rel="noopener noreferrer" sammen med target="_blank"
1889cb4 
For å unngå "reverse tabnabbing"

asciidoctor/asciidoctor#2071
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
@silvandiepen silvandiepen mentioned this issue Dec 20, 2018
Merged
@afc163 afc163 mentioned this issue Apr 19, 2019
Closed
1 task
@oddhack oddhack mentioned this issue Jul 10, 2019
Merged
dsteelma-umd added a commit to dsteelma-umd/archelon that referenced this issue Aug 20, 2019
@dsteelma-umd
LIBHYDRA-179. Fixed "Rails/LinkToBlank" offenses
dc42a19 
Added "rel: 'noopener'" to so that the the target page can't get
control of the "Back" button to possibly mislead the user. Probably
not an issue in this case, but probably a good practice.

See https://mathiasbynens.github.io/rel-noopener/ and
asciidoctor/asciidoctor#2071

https://issues.umd.edu/browse/LIBHYDRA-179
@devabhixda devabhixda mentioned this issue Apr 2, 2020
Closed
DevHyperCoder added a commit to DevHyperCoder/WebFolio that referenced this issue Oct 2, 2020
@DevHyperCoder
🔒 Add rel noopener noreferrer to fix security bug.
85551e2 
Read more: asciidoctor/asciidoctor#2071
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mojavelinux mojavelinux

Labels
enhancement
Projects
None yet
Milestone
v1.5.6
Development

No branches or pull requests
4 participants
@mojavelinux @hsablonniere @EdOverflow and others