Miss any of our Open RFC calls?Watch the recordings here! »

safe-target

1.1.1 • Public • Published

Safe target="_blank" links

Using target="_blank" can be insecure. Especially if you use these from within a web app.

Wait, what?

Links that are opened using target="_blank" can control the opener tab in some limited ways.

Yes, you read that right. Thank to the window.opener property, new windows have a reference to the window that opened them.

What's the big deal?

Imagine this scenario:

  1. I log in to my favorite web app.
  2. I click over to some section, and click a link to a 3rd party. The developers of the web app don't want me leaving their app, so they made it target="_blank"
  3. Unbeknownst to me, the 3rd party was compromised, and a little bit of javascript was injected into their page. This javascript redirected my original window to a copy-cat page which says I need to log in again.
  4. I close the 3rd party tab, and am back on my original (now "logged out") tab. Everything looks legit, so I log in again.

I just gave some hackers my login information.

If you want to see this in action, check out docs/index.html.

Wow. So how do I fix this?

The solution, it turns out, is pretty simple.

Just add rel="noreferrer" to your links that use target="_blank" (HTML spec)

Simple enough, so why does this library exist?

We're humans, and adding rel="noreferrer" is easy to forget, let alone spell (is that one "r" or two?)

So, just add this script to the bottom of your page, like so:

<html>
<head>
</head>
<body>
  <!-- stuff -->
 
  <script src="//code.mattvenables.com/safe-target-blank/safe-target-blank.min.js"></script> 
</body>
</html>

Installation:

You can install safe-target-blank in several ways:

  1. Include the hosted JS directly on your page

    <script src="//code.mattvenables.com/safe-target-blank/safe-target-blank.min.js"></script>
  2. Install via npm (or yarn), and require it (for use with Webpack or Browserify)

    npm install safe-target
    yarn add safe-target
  3. Install via Bower

    bower install safe-target

Keywords

none

Install

npm i safe-target

DownloadsWeekly Downloads

4

Version

1.1.1

License

MIT

Last publish

Collaborators

  • avatar