Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Prevent unsafe links to cross-origin destinations
When using `target="_blank"` to open a link to another page, it's possible for the JavaScript on this newly opened tab to access the the `window` of the initiating link, allowing content in the dom to be modified to something that could deceive or harm the user. The fix for this is to include the attribute `rel="noopener"` in the anchor tag alongside `target="_blank"`. This ensures that any new browsing context created by the hyperlink does not have the `window.opener` browsing context. More details about this issue can be found here: https://mathiasbynens.github.io/rel-noopener/ According to the link above, support for the `noopener` value was added to these broweser versions: * Chrome 49 * Firefox 55 * Desktop Safari 10.1 * iOS Safari 10.3 It's possible this could be implemented in Microsoft Edge, but I was not able to confirm that. In order to support this fix on older versions of the browsers above you have to set the rel attribute to `noreferrer`. This disables the opener context but also disables the HTTP Referrer header as well which might have an effect on referrer tracking through legitimate links. This was discovered through a customer security scan of an on-premise Chef Supermarket installation. The recommended solution is to support both `noopener` and `noreferrer`, however I think the decision to use the second value is subjective and should be decided by the product manager. So long as customer browsers are relatively up to date (possible big leap?) only supporting `noopener` for now should be sufficient. Signed-off-by: Keith Walters <kwalters@taphere.com>
- Loading branch information
1 parent
03748bd
commit 31a56b5
Showing
7 changed files
with
23 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters