I see people recommending that whenever one uses target="_blank"
in a link to open it in a different window, they should put rel="noopener noreferrer"
. I wonder how does this prevent me from using Developer Tools in Chrome, for example, and removing the rel attribute. Then clicking the link...
Is that an easy way to still keep the vulnerability?
The noopener is needed to enhance the security of your website and prevent other websites from gaining access to your page (through the browser session). The noreferrer is used to protect referral information from being passed to the target website and this also hides referral traffic in Google analytics.
rel=noreferrer is same as rel=noopener. The only difference is that if you use rel=norefferer the owner of the destination page will never know that you are linking to his/her site. Because this attribute blocks the browser to transfer the HTTP referral header to the destination site.
Feature: Anchor target=_blank implies rel=noopener by default. To mitigate "tab-napping" attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target _blank should behave as if |rel="noopener"| is set.
You May Not Want To Use _Blank For Inline Frames One such case is for inline frames. An inline frame is an HTML element that can contain another web document within it. For example, some advertisements are contained within an iframe so that they end up being a web page within a web page.
You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
Essentially, adding rel="noopener noreferrer"
to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).
You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.
Update as of 2021: All current versions of major browsers now automatically use the behavior of rel="noopener"
for any target="_blank"
link, nullifying this issue. See more at chromestatus.com.
Links with target="_blank"
on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. This is known as reverse tabnapping:
The referring page is stored in window.opener
, and a malicious site could modify this through:
if (window.opener) {
window.opener.location = "https://phish.example.com";
}
Adding rel="noopener noreferrer"
fixes this vulnerability in all major browsers.
Note that you could theoretically remove the rel
client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.
Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer"
. Your removal of it only applies to you.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With