Re: [Rails-core] [Proposal] default `rel=noopener` for link_to with target: '_blank' for avoiding tabnabbing attack

Wed, 15 Jun 2016 11:49:26 -0700 

+1, good default. Please do submit a PR.

On Wed, Jun 15, 2016 at 11:13 AM jxck jxck <block.rxckin.be...@gmail.com>
wrote:

> link with target=blank_ will cause some kind of phishing attack known as
> *tabnabbing*.
> detail of this attacks are described below.
>
> - http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
> -
> https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
>
> this is caused by `window.opener` of JavaScript API, and it will prevent
> by `rel=noopener` new API.
>
> so I propose adding this attribute to `link_to` when it given `target:
> "_blank"`.
>
> ```
> link_to "External link", "http://www.rubyonrails.org/";, target: "_blank"
> ```
>
> ```
> <!-- before -->
> <a href="http://www.rubyonrails.org/"; target="_blank">External link</a>
> <!-- after -->
> <a href="http://www.rubyonrails.org/"; target="_blank"
> rel="noopener">External link</a>
> ```
>
> here is `noopener` spec.
>
> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener
>
> currently implemented by chrome/opera.
>
> http://caniuse.com/#search=noopener
>
> `noreferrer` is considered altenative of `noopener` for older browser.
> but this cause not to send referrer to server, so it'll cause breakin
> change for some apps.
> `noopener` is no side effect for apps, without using `window.opener`
> ofcourse.
>
>
> I'm posting this for asking guys befor writing PR according to guideline.
>
> thanks.
> Jxck
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubyonrails-core+unsubscr...@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at https://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to rubyonrails-core+unsubscr...@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.

Reply via email to