A while back I ran across an interesting security hole
<a href=http://someurl.here target=_blank>Link</a>
Looks innocuous enough, but there's a hole because, by default, the page that's being opened is allowing the opened page to call back into it via window.opener
. There are some restrictions, being cross-domain, but there's still some mischief that can be done
window.opener.location = 'http://gotcha.badstuff';
Now, HTML has a workaround
<a href=http://someurl.here target=_blank rel=noopener noreferrer>Link</a>
That prevents the new window from having window.opener
passed to it. That's fine and good for HTML, but what if you're using window.open
?
<button type=button onclick=window.open('http://someurl.here', '_blank');>
Click Me
</button>
How would you block the use of window.opener
being passed here?