Using `target="_blank"` can be insecure. This helps.
target="_blank"
linksUsing target="_blank"
can be insecure. Especially if you use these from within a web app.
Links that are opened using target="_blank"
can control the opener tab in some limited ways.
Yes, you read that right. Thank to the window.opener property, new windows have a reference to the window that opened them.
Imagine this scenario:
target="_blank"
I just gave some hackers my login information.
If you want to see this in action, check out docs/index.html.
The solution, it turns out, is pretty simple.
Just add rel="noreferrer"
to your links that use target="_blank"
(HTML spec)
We're humans, and adding rel="noreferrer"
is easy to forget, let alone spell (is that one "r" or two?)
So, just add this script to the bottom of your page, like so:
<html>
<head>
</head>
<body>
<!-- stuff -->
<script src="//code.mattvenables.com/safe-target-blank/safe-target-blank.min.js"></script>
</body>
</html>
You can install safe-target-blank in several ways:
Include the hosted JS directly on your page
<script src="//code.mattvenables.com/safe-target-blank/safe-target-blank.min.js"></script>
Install via npm (or yarn), and require it (for use with Webpack or Browserify)
npm install safe-target
yarn add safe-target
Install via Bower
bower install safe-target