Jonathan Druart
6c1b39b4cb
If you click on a link that opens a new tab/window to another site, that tab has access to the original window through JavaScript. The browsing context is related, even if the domains are totally different. The tab retains access to the original window's object via window.opener, even if you navigate to another page or domain, in the new or original window. Access to the Window object means the new window can use Window.location to open a different URL in the original window, perfect for phishing attacks. Depending on the site's Same-Origin Policy settings, the new window may have access to other parts of the original window's DOM as well. Any 'A HREF' that contains a target of of '_blank' or '_new' or a fixed name is vulnerable. Previous security best practice often suggested creating a random fixed name for an unpredictable namespace - that won't help with this problem! Targets of '_self' and '_parent' are safe. We do not use _new (at first glance) but several _blank. Some are used to refer internal url, we do not need to update or remove them. Others are used to satisfy OPACURLOpenInNewWindow, in these case, we should add the rel="noreferrer" attribute to the a tags. In other cases, we can simply remove them and let the users discover that a mouse has more than one button (we are in 2016, they can do it!) Signed-off-by: Chris <chrisc@catalyst.net.nz> Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com> Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com |
||
---|---|---|
.. | ||
bootstrap | ||
lib |