[Proposal] default `rel=noopener` for link_to with target: '_blank' for avoiding tabnabbing attack
238 views
Skip to first unread message
jxck jxck
Jun 15, 2016, 2:13:09 PM6/15/16
to Ruby on Rails: Core
link with target=blank_ will cause some kind of phishing attack known as *tabnabbing*.
detail of this attacks are described below.
this is caused by `window.opener` of JavaScript API, and it will prevent by `rel=noopener` new API.
so I propose adding this attribute to `link_to` when it given `target: "_blank"`.
```
link_to "External link", "http://www.rubyonrails.org/", target: "_blank"
```
```
<!-- before -->
<a href="http://www.rubyonrails.org/" target="_blank">External link</a>
<!-- after -->
<a href="http://www.rubyonrails.org/" target="_blank" rel="noopener">External link</a>
```
here is `noopener` spec.
currently implemented by chrome/opera.
`noreferrer` is considered altenative of `noopener` for older browser.
but this cause not to send referrer to server, so it'll cause breakin change for some apps.
`noopener` is no side effect for apps, without using `window.opener` ofcourse.
I'm posting this for asking guys befor writing PR according to guideline.
thanks.
Jxck
Jeremy Daer
Jun 15, 2016, 2:49:10 PM6/15/16
to Ruby on Rails: Core
+1, good default. Please do submit a PR.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
jxck jxck
Jun 16, 2016, 10:41:40 AM6/16/16
to Ruby on Rails: Core
thanks Jeremy.
2016年6月16日木曜日 3時49分10秒 UTC+9 Jeremy Daer:
now I working on patch here
I'll send PR when I've done soon.
thanks
Jxck
2016年6月16日木曜日 3時49分10秒 UTC+9 Jeremy Daer:
Reply all
Reply to author
Forward
0 new messages