+1, good default. Please do submit a PR. On Wed, Jun 15, 2016 at 11:13 AM jxck jxck <block.rxckin.be...@gmail.com> wrote:
> link with target=blank_ will cause some kind of phishing attack known as > *tabnabbing*. > detail of this attacks are described below. > > - http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ > - > https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/ > > this is caused by `window.opener` of JavaScript API, and it will prevent > by `rel=noopener` new API. > > so I propose adding this attribute to `link_to` when it given `target: > "_blank"`. > > ``` > link_to "External link", "http://www.rubyonrails.org/", target: "_blank" > ``` > > ``` > <!-- before --> > <a href="http://www.rubyonrails.org/" target="_blank">External link</a> > <!-- after --> > <a href="http://www.rubyonrails.org/" target="_blank" > rel="noopener">External link</a> > ``` > > here is `noopener` spec. > > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener > > currently implemented by chrome/opera. > > http://caniuse.com/#search=noopener > > `noreferrer` is considered altenative of `noopener` for older browser. > but this cause not to send referrer to server, so it'll cause breakin > change for some apps. > `noopener` is no side effect for apps, without using `window.opener` > ofcourse. > > > I'm posting this for asking guys befor writing PR according to guideline. > > thanks. > Jxck > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rubyonrails-core+unsubscr...@googlegroups.com. > To post to this group, send email to rubyonrails-core@googlegroups.com. > Visit this group at https://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at https://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.