Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Use window.open but block use of window.opener

Tags:

javascript

cross-domain

A while back I ran across an interesting security hole

<a href="http://someurl.here" target="_blank">Link</a>

Looks innocuous enough, but there's a hole because, by default, the page that's being opened is allowing the opened page to call back into it via window.opener. There are some restrictions, being cross-domain, but there's still some mischief that can be done

window.opener.location = 'http://gotcha.badstuff';

Now, HTML has a workaround

<a href="http://someurl.here" target="_blank" rel="noopener noreferrer">Link</a>

That prevents the new window from having window.opener passed to it. That's fine and good for HTML, but what if you're using window.open?

<button type="button" onclick="window.open('http://someurl.here', '_blank');">     Click Me </button>

How would you block the use of window.opener being passed here?

like image 231
Machavity Avatar asked Nov 14 '16 16:11

Machavity

People also ask

How do I keep a window open in the same window?

To do this, press and hold the Alt key on your keyboard, then press the Tab key. Continue pressing the Tab key until the desired window is selected.

Is window open vulnerable?

window. open(url, name, [args]) makes it easy for websites accepting user supplied URLs to be vulnerable when attackers can cause a collision on the the “name” parameter. For example, consider a genuine site embedding an iframe with name “myFrame”, and allows user to supply the url of the iframe.

Is window open Noopener Noreferrer?

That's where noopener and noreferrer come in. The values noopener and noreferrer belong to the rel attribute, and they tell the browser NOT to set the window. open property when opening a link in a new tab/window.

What is the use of window open?

Definition and Usage The open() method opens a new browser window, or a new tab, depending on your browser settings and the parameter values.

1 Answers

The window.open() call now supports the feature "noopener".
So calling window.open('https://www.your.url','_blank','noopener') should open the new window/tab with a null window.opener.

I'm having trouble finding a reliable list of supporting browsers (and versions) - MDN states here that

This is supported in modern browsers including Chrome, and Firefox 52+.

From my experimentation, I see it works for:

  • Chrome 61
  • FireFox 56
  • Safari 11.1 (thanks Jiayi Hu for this)

But doesn't work for:

  • IE 11.608
  • Edge 40

(All tests on a PC running Windows 10...)

For backwards compatibility it may be better to combine this with t3__rry's answer.

like image 172
G0BLiN Avatar answered Sep 23 '22 17:09

G0BLiN
Sign in to Comment

Related questions

create-react-app is showing all my code in production, how to hide it?
Refused to execute inline event handler because it violates CSP. (SANDBOX)
How to dynamically remove a stylesheet from the current page
How to Create simple drag and Drop in angularjs
How to get "key" prop from React element (on change)?
Unsigned Integer in Javascript
JQuery Number Formatting
How can I get a list of passing tests from karma runner suite?
When to use "window.onload"?
Pass variable to html template in nodemailer
How to change a css class style through Javascript?
How to take keyboard input in JavaScript?
I'm unable to inject a style with an "!important" rule [duplicate]
Preventing multiple clicks on button
Pass a string by reference in Javascript
Split by Caps in Javascript
Puppeteer log inside page.evaluate
Node.js: socket.io close client connection
Using Select2 get error - "Error: No select2/compat/query"
React prevent form submission when enter is pressed inside input

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!