thanks Jeremy. now I have a PoC patch. https://gist.github.com/Jxck/c88cc1177e15f51bd9355d9d77ba3245
I'll fix this and send as PR soon. Jxck 2016年6月16日木曜日 3時49分10秒 UTC+9 Jeremy Daer: > > +1, good default. Please do submit a PR. > > On Wed, Jun 15, 2016 at 11:13 AM jxck jxck <block.rxc...@gmail.com > <javascript:>> wrote: > >> link with target=blank_ will cause some kind of phishing attack known as >> *tabnabbing*. >> detail of this attacks are described below. >> >> - http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ >> - >> https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/ >> >> this is caused by `window.opener` of JavaScript API, and it will prevent >> by `rel=noopener` new API. >> >> so I propose adding this attribute to `link_to` when it given `target: >> "_blank"`. >> >> ``` >> link_to "External link", "http://www.rubyonrails.org/", target: "_blank" >> ``` >> >> ``` >> <!-- before --> >> <a href="http://www.rubyonrails.org/" target="_blank">External link</a> >> <!-- after --> >> <a href="http://www.rubyonrails.org/" target="_blank" >> rel="noopener">External link</a> >> ``` >> >> here is `noopener` spec. >> >> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener >> >> currently implemented by chrome/opera. >> >> http://caniuse.com/#search=noopener >> >> `noreferrer` is considered altenative of `noopener` for older browser. >> but this cause not to send referrer to server, so it'll cause breakin >> change for some apps. >> `noopener` is no side effect for apps, without using `window.opener` >> ofcourse. >> >> >> I'm posting this for asking guys befor writing PR according to guideline. >> >> thanks. >> Jxck >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to rubyonrails-co...@googlegroups.com <javascript:>. >> To post to this group, send email to rubyonra...@googlegroups.com >> <javascript:>. >> Visit this group at https://groups.google.com/group/rubyonrails-core. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at https://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.