New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

target="_blank" vulnerability #3177

Closed
dakshalraijada opened this Issue Sep 5, 2016 · 19 comments

Comments

Projects
None yet
9 participants
@dakshalraijada

dakshalraijada commented Sep 5, 2016

Hi Guys,

Big fan of your work and really appreciate it.
This is a feature request and not an issue.

If you use the target="_blank" attribute on a link, and do not accompany it with a rel="noopener" attribute, you are leaving your users open to a very simple phishing attack.

When a website uses target="_blank" on their links in order to open a new tab or window, that website gives the new page access to the existing window through the window.opener API, allowing it a few permissions. Some of these permissions are automatically negated by cross-domain restrictions, but window.location is fair game.

In order to restrict the behavior window.opener access, the original page needs to add a rel="noopener" attribute to any link that has target="_blank". However, Firefox does not support that tag, so you should actually use rel="noopener noreferrer" for full coverage.

There is a further reading over here with example

So, the request is to add rel="noopener noreferrer" whenever open in new tab is selected by the user in wysiwyg editor.

If you do have this feature, please ignore, I might be using an older version.

Thanks,

@Afraithe

This comment has been minimized.

Show comment
Hide comment
@Afraithe

Afraithe Sep 22, 2016

Member

Thanks for reporting this by the way.

I guess it should be possible to configure tinymce already to force that option on all links, but that might not be the best way of implementing this. Will look into it.

Member

Afraithe commented Sep 22, 2016

Thanks for reporting this by the way.

I guess it should be possible to configure tinymce already to force that option on all links, but that might not be the best way of implementing this. Will look into it.

@jayarjo

This comment has been minimized.

Show comment
Hide comment
@jayarjo

jayarjo Oct 22, 2016

Contributor

While we do not enforce rel="noopener noreferrer" on _blank links (and we probably should), we provide rel_list option, that lets you define a list of values to apply to rel attribute if chosen from the Link Properties dialog.

Contributor

jayarjo commented Oct 22, 2016

While we do not enforce rel="noopener noreferrer" on _blank links (and we probably should), we provide rel_list option, that lets you define a list of values to apply to rel attribute if chosen from the Link Properties dialog.

@jayarjo

This comment has been minimized.

Show comment
Hide comment
@jayarjo

jayarjo Nov 25, 2016

Contributor

This has been addressed now in v4.5.0. Related option - allow_unsafe_link_target is described here.

Contributor

jayarjo commented Nov 25, 2016

This has been addressed now in v4.5.0. Related option - allow_unsafe_link_target is described here.

@jayarjo jayarjo closed this Nov 25, 2016

@dakshalraijada

This comment has been minimized.

Show comment
Hide comment
@dakshalraijada

dakshalraijada Nov 25, 2016

Thank you guys!! 👍

dakshalraijada commented Nov 25, 2016

Thank you guys!! 👍

@johndubya

This comment has been minimized.

Show comment
Hide comment
@johndubya

johndubya May 5, 2017

Hang on a minute. Why are internal (i.e. relative) links with target _blank also getting rel="noopener noreferrer"? Isn't it true that if the link goes to your own website, reverse tabnabbing is impossible? A hacker would have to put malicious code on your website for reverse tabnabbing to work for internal links. Was the difference between internal vs. external links with target _blank considered?

johndubya commented May 5, 2017

Hang on a minute. Why are internal (i.e. relative) links with target _blank also getting rel="noopener noreferrer"? Isn't it true that if the link goes to your own website, reverse tabnabbing is impossible? A hacker would have to put malicious code on your website for reverse tabnabbing to work for internal links. Was the difference between internal vs. external links with target _blank considered?

@RealDavidoff

This comment has been minimized.

Show comment
Hide comment
@RealDavidoff

RealDavidoff Aug 31, 2017

No, nothing was considered, neither by dakshalraijada who posted this idiotic "feature request" nor by jayarjo et al who followed suit. :-(

Idiotic? You read that right. Sadly, you didn't read that "feature request" right that brought this MESS onto hundreds of millions of wp users! :-(((

Didn't read right? Indeed: ONLY a link that a SITE OWNER puts(!) or allows(!) to ANOTHER one's site ("alien" site) that he/she neither checked for quality nor is interested(!), ONLY such a link would pose any risk at all.

NO other link. In fact, the millions of site OWNERS(hello!) have always posted links to external sites that they know very well what site that is. And for NONE of all those links that we site OWNERS(get that!) post on OUR sites bear any "risk" at all. Is that so hard to READ and understand?

site owner adds internal link >> NO risk
site owner adds research links >> NO risk
site owner adds media links >> NO risk
site owner adds links to owned network sites >> NO risk

ONLY a link risk exists for the few site owners who a) don't know what they link to, and b) don't care!

And frankly, those few deserve to bear risk.

But is wp serving those idiots, or the millions of decent wp users who put links ON PURPOSE, links they WANT, and the way they PUT them. WITHOUT those idiotic tags SECRETLY ADDED by non-site owners = wp programmers.

Unbelievable.

RealDavidoff commented Aug 31, 2017

No, nothing was considered, neither by dakshalraijada who posted this idiotic "feature request" nor by jayarjo et al who followed suit. :-(

Idiotic? You read that right. Sadly, you didn't read that "feature request" right that brought this MESS onto hundreds of millions of wp users! :-(((

Didn't read right? Indeed: ONLY a link that a SITE OWNER puts(!) or allows(!) to ANOTHER one's site ("alien" site) that he/she neither checked for quality nor is interested(!), ONLY such a link would pose any risk at all.

NO other link. In fact, the millions of site OWNERS(hello!) have always posted links to external sites that they know very well what site that is. And for NONE of all those links that we site OWNERS(get that!) post on OUR sites bear any "risk" at all. Is that so hard to READ and understand?

site owner adds internal link >> NO risk
site owner adds research links >> NO risk
site owner adds media links >> NO risk
site owner adds links to owned network sites >> NO risk

ONLY a link risk exists for the few site owners who a) don't know what they link to, and b) don't care!

And frankly, those few deserve to bear risk.

But is wp serving those idiots, or the millions of decent wp users who put links ON PURPOSE, links they WANT, and the way they PUT them. WITHOUT those idiotic tags SECRETLY ADDED by non-site owners = wp programmers.

Unbelievable.

@spocke

This comment has been minimized.

Show comment
Hide comment
@spocke

spocke Aug 31, 2017

Member

The code was changed to forcing rel="noopener" on links with target="_blank" since the admin page might not be the same domain as where it's being displayed we can't simply check the domain.

There is an option to opt out of this security feature but security should be opt out not opt in. If you have a blog and a link to an external site that site can be hacked and redirect your blog page in another tab to a faked admin login for your wordpress then you login to that hackers site and they grab the username/password and boom your blog is p0wned!

It might not be an issue for experienced users but there is a lot of people that doesn't really look at the location bar when they do things and if it's a targeted attack you would just change a letter or to in the domain name and you wouldn't notice.

Member

spocke commented Aug 31, 2017

The code was changed to forcing rel="noopener" on links with target="_blank" since the admin page might not be the same domain as where it's being displayed we can't simply check the domain.

There is an option to opt out of this security feature but security should be opt out not opt in. If you have a blog and a link to an external site that site can be hacked and redirect your blog page in another tab to a faked admin login for your wordpress then you login to that hackers site and they grab the username/password and boom your blog is p0wned!

It might not be an issue for experienced users but there is a lot of people that doesn't really look at the location bar when they do things and if it's a targeted attack you would just change a letter or to in the domain name and you wouldn't notice.

@RealDavidoff

This comment has been minimized.

Show comment
Hide comment
@RealDavidoff

RealDavidoff Sep 25, 2017

Wrong. There is NO option that works, to "opt out" of this idiocracy! I have tried everything that's posted online and Google can find, and NONE works.

Security?? As clearly shown above, that particular wp gimmick adds ZERO security but huge confusion and annoyance to millions of site owners. As always, only a handful speak out, But all are suffering.

We clearly do NOT wish ANY secret changes of content WE AS SITE OWNERS put on our sites.
But with that crap of misunderstood "security" feature, now we save some widget content or comment content, BELIEVE it gets posted AS WE ENTERED IT, but hey no: while saving, wp has changed OUR content, and secretly! So we go in, correct that to OUR content, save it, and again the persistent, stubborn change from wp! That's hijacking of user content. Illegal. Unethical. Unacceptable.

If you persist in such idiocracy, add a tick box like earlier for other things.
And if you are that stubborn, okay, make the tickmark the default.
But at the very least, provide a meaningful way for site owners to post EXACTLY the content they believe they post to their site. Here, WITHOUT the foolish noopener tag.

Foolish? What, did you miss the earlier explanation??
ONLY linking to questionable sites CAN at all pose a risk. We don't do that. Very few wp users overall do that.

RealDavidoff commented Sep 25, 2017

Wrong. There is NO option that works, to "opt out" of this idiocracy! I have tried everything that's posted online and Google can find, and NONE works.

Security?? As clearly shown above, that particular wp gimmick adds ZERO security but huge confusion and annoyance to millions of site owners. As always, only a handful speak out, But all are suffering.

We clearly do NOT wish ANY secret changes of content WE AS SITE OWNERS put on our sites.
But with that crap of misunderstood "security" feature, now we save some widget content or comment content, BELIEVE it gets posted AS WE ENTERED IT, but hey no: while saving, wp has changed OUR content, and secretly! So we go in, correct that to OUR content, save it, and again the persistent, stubborn change from wp! That's hijacking of user content. Illegal. Unethical. Unacceptable.

If you persist in such idiocracy, add a tick box like earlier for other things.
And if you are that stubborn, okay, make the tickmark the default.
But at the very least, provide a meaningful way for site owners to post EXACTLY the content they believe they post to their site. Here, WITHOUT the foolish noopener tag.

Foolish? What, did you miss the earlier explanation??
ONLY linking to questionable sites CAN at all pose a risk. We don't do that. Very few wp users overall do that.

@fyrkant

This comment has been minimized.

Show comment
Hide comment
@fyrkant

fyrkant Sep 25, 2017

Contributor

@RealDavidoff

First of all I think you need to step away from the computer and cool down a little.

Secondly, what do you mean there isn't a a way to opt out? The allow_unsafe_link_tarket setting that @jayarjo links above should work just fine.

Contributor

fyrkant commented Sep 25, 2017

@RealDavidoff

First of all I think you need to step away from the computer and cool down a little.

Secondly, what do you mean there isn't a a way to opt out? The allow_unsafe_link_tarket setting that @jayarjo links above should work just fine.

@johndubya

This comment has been minimized.

Show comment
Hide comment
@johndubya

johndubya Sep 25, 2017

@RealDavidoff, I wrote a blog post about turning this feature off for a WordPress site. Adding noopener noreferrer to links actually does fix a security problem, as you will read in my post, so don't think it is worthless. It just might be overkill for those who never link to unsafe sites out on the web and who also want the referrer passed through the link.

johndubya commented Sep 25, 2017

@RealDavidoff, I wrote a blog post about turning this feature off for a WordPress site. Adding noopener noreferrer to links actually does fix a security problem, as you will read in my post, so don't think it is worthless. It just might be overkill for those who never link to unsafe sites out on the web and who also want the referrer passed through the link.

@RealDavidoff

This comment has been minimized.

Show comment
Hide comment
@RealDavidoff

RealDavidoff Sep 25, 2017

I read that too, and that too doesn't work.
Read above, wp now hijacks site owner content in widgets, comments, posts, pages.

As I explained in the wp forum long ago, we already CORRECT wp here:
wp-includes/default-filters.php: row 212, to NOT have wp add nofollow to comment links
DELETE
add_filter( 'pre_comment_content', 'wp_rel_nofollow', 15 );

EVERY TIME we have to redo that, since wp programmers choose to foolishly follow fake "security" issues that NO legit wp user has anyway (they don't link to risky sites, only the programmers in their dreams do!), instead of addressing the pressing content issues we users have called for for some 6 years...!

RealDavidoff commented Sep 25, 2017

I read that too, and that too doesn't work.
Read above, wp now hijacks site owner content in widgets, comments, posts, pages.

As I explained in the wp forum long ago, we already CORRECT wp here:
wp-includes/default-filters.php: row 212, to NOT have wp add nofollow to comment links
DELETE
add_filter( 'pre_comment_content', 'wp_rel_nofollow', 15 );

EVERY TIME we have to redo that, since wp programmers choose to foolishly follow fake "security" issues that NO legit wp user has anyway (they don't link to risky sites, only the programmers in their dreams do!), instead of addressing the pressing content issues we users have called for for some 6 years...!

@Afraithe

This comment has been minimized.

Show comment
Hide comment
@Afraithe

Afraithe Sep 26, 2017

Member

Sorry, but since they are re-adding it, there isn't much we can do on our side here.

Member

Afraithe commented Sep 26, 2017

Sorry, but since they are re-adding it, there isn't much we can do on our side here.

@RealDavidoff

This comment has been minimized.

Show comment
Hide comment
@RealDavidoff

RealDavidoff Sep 26, 2017

That's why my wording is so harsh. You now realized that the wp programmers who blindly followed that idiotic "security" report of someone who can't think clearly (or just READ WHAT I WROTE) left us users NO WAY to simply "opt out" of that nonsense. Like you and others naively claimed we can.

Thus again, hopefully one day soon one of those "programmers" wakes up, READS this thread (or any of my other related threads) and cuts out that idiocracy altogether!

RealDavidoff commented Sep 26, 2017

That's why my wording is so harsh. You now realized that the wp programmers who blindly followed that idiotic "security" report of someone who can't think clearly (or just READ WHAT I WROTE) left us users NO WAY to simply "opt out" of that nonsense. Like you and others naively claimed we can.

Thus again, hopefully one day soon one of those "programmers" wakes up, READS this thread (or any of my other related threads) and cuts out that idiocracy altogether!

@gtrufitt

This comment has been minimized.

Show comment
Hide comment
@gtrufitt

gtrufitt Nov 3, 2017

Gotta say @RealDavidoff, you've really got to learn how to have a constructive conversation. There's no reason to keyboard-warrior the way you're doing here, act like an adult.

gtrufitt commented Nov 3, 2017

Gotta say @RealDavidoff, you've really got to learn how to have a constructive conversation. There's no reason to keyboard-warrior the way you're doing here, act like an adult.

@RealDavidoff

This comment has been minimized.

Show comment
Hide comment
@RealDavidoff

RealDavidoff Nov 3, 2017

Either you cannot READ or you aren't an adult yourself: Wasting your time like a child on sth you have neither READ nor understand.

And if only(?) you hav a personal issue with language, reconsider attending language school. Or, learn not to take everything as serious as you seemingly do. ;-)

RealDavidoff commented Nov 3, 2017

Either you cannot READ or you aren't an adult yourself: Wasting your time like a child on sth you have neither READ nor understand.

And if only(?) you hav a personal issue with language, reconsider attending language school. Or, learn not to take everything as serious as you seemingly do. ;-)

@gtrufitt

This comment has been minimized.

Show comment
Hide comment
@gtrufitt

gtrufitt Nov 3, 2017

Frankly I'm just glad I don't work with you @RealDavidoff

gtrufitt commented Nov 3, 2017

Frankly I'm just glad I don't work with you @RealDavidoff

@donShakespeare

This comment has been minimized.

Show comment
Hide comment
@donShakespeare

donShakespeare Nov 4, 2017

I am the master of language, and also the master of human nature, and I tell you candidly, in all my 500 years of composing, honey is better than vinegar, well, depends on what you are trying to achieve - and what kind of vinegar.

But, I find that telling people that they are nincompoops because they cannot fathom the plainness of your erudition will never motivate them to go back to read anything you wrote no matter how outstanding and sincere.

Fighting nincompoopity with nincompoopity is a two-way stop-sign junction in a rough lawless country.
... all manners fly out da wyndow

donShakespeare commented Nov 4, 2017

I am the master of language, and also the master of human nature, and I tell you candidly, in all my 500 years of composing, honey is better than vinegar, well, depends on what you are trying to achieve - and what kind of vinegar.

But, I find that telling people that they are nincompoops because they cannot fathom the plainness of your erudition will never motivate them to go back to read anything you wrote no matter how outstanding and sincere.

Fighting nincompoopity with nincompoopity is a two-way stop-sign junction in a rough lawless country.
... all manners fly out da wyndow

@RealDavidoff

This comment has been minimized.

Show comment
Hide comment
@RealDavidoff

RealDavidoff Nov 8, 2017

@everyone who's spoofed by those few people posting above such nonsense:

READ this: https://wordpress.org/support/topic/delete-wordpress-automatic-nofollow-filter-plugin/#post-9662581

Same with noopener tag. Gotta THINK before you post, before you work, before you program, before you sell.
Well, I do.

RealDavidoff commented Nov 8, 2017

@everyone who's spoofed by those few people posting above such nonsense:

READ this: https://wordpress.org/support/topic/delete-wordpress-automatic-nofollow-filter-plugin/#post-9662581

Same with noopener tag. Gotta THINK before you post, before you work, before you program, before you sell.
Well, I do.

@fyrkant

This comment has been minimized.

Show comment
Hide comment
@fyrkant

fyrkant Nov 8, 2017

Contributor

I think we have talked about this issue enough now, and there is nothing we can do about it in TinyMCE. Locking this conversation.

Contributor

fyrkant commented Nov 8, 2017

I think we have talked about this issue enough now, and there is nothing we can do about it in TinyMCE. Locking this conversation.

@tinymce tinymce locked and limited conversation to collaborators Nov 8, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.