-
-
Notifications
You must be signed in to change notification settings - Fork 788
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add rel="noopener noreferrer" to target="_blank". #2071
Comments
Thank you for bringing this up for discussion. I now understand the vulnerability. @hsablonniere what are your thoughts about this? Do you think we should add this if target is _blank? FWIW, Jake seems to like it. See https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/. It seems like Firefox has fixed this problem in Firefox 52, so perhaps we don't need the exception for Firefox anymore. We can just go with rel="noopener". |
Btw, I found this site by mathias to be very helpful in understand the issue. https://mathiasbynens.github.io/rel-noopener/ |
Hey, I read mathias and Jake's article when they got out. This is very important. I would say 100% agree for |
Yep, that is correct. |
Then I would say, let's to this and put an attribute to opt-out. |
I'm prepared to add rel="noopener", but I don't think we should add "noreferrer". Trying to cater to older browsers is futile because there are numerous other security exploits those browsers are susceptible to. If the user wants to be secure, then the user should be using the latest browser. The user can then expect that we do our part to protect them from our side. That's the contract. |
…ank or when noopener option is set
If the value of the window attribute is |
…ank or when noopener option is set
Added "rel: 'noopener'" to so that the the target page can't get control of the "Back" button to possibly mislead the user. Probably not an issue in this case, but probably a good practice. See https://mathiasbynens.github.io/rel-noopener/ and asciidoctor/asciidoctor#2071 https://issues.umd.edu/browse/LIBHYDRA-179
rel="noopener noreferrer"
should be added to links containingtarget="_blank"
as a precaution against reverse tabnabbing. For more information, please refer to the following article:https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
AsciiDoc:
http://example.com[Link^]
HTML:
<a href="http://example.com" target="_blank">Link</a>
Fix:
<a href="http://example.com" target="_blank" rel="noopener noreferrer">Link</a>
Link to source code: https://github.com/asciidoctor/asciidoctor/blob/master/lib/asciidoctor/converter/html5.rb#L1033
The text was updated successfully, but these errors were encountered: