Background
Today eslint reports an error when I introduce eslint-plugin-react
error Using target="_blank" without rel="noopener noreferrer" is a security risk: see https://mathiasbynens.github.io/rel-noopener react/jsx-no-target-blankWhy
Opening a new tab/window, either by hyperlinks (i.e tag with target attribute set to _blank) or programmatically calling window.open, will grant the newly-opened tab/window access back to the originating tab/window via window.opener. Therefore, the newly opened tab/window can then change the window.opener.location to redirect to the phishing page in the background, or execute some JavaScript on the opener-page on your behalf.
How to fixhtyperlink types
Add rel="noopenner" to outgoing links. E.g.
Specify noopener in window features
window.open("https://abc.com", "security", "noopener");
Reset opener property
Note: this technique is subject to Same Origin Policy
let nw = window.open("https://abc.com", "security"); nw.opener = null;Reference
About rel=noopener
Target="_blank" - the most underestimated vulnerability ever
NoticeIf you want to follow the latest news/articles for the series of my blogs, Please 「Watch」to Subscribe.
文章版權歸作者所有,未經允許請勿轉載,若此文章存在違規行為,您可以聯系管理員刪除。
轉載請注明本文地址:http://specialneedsforspecialkids.com/yun/11397.html
閱讀 3012·2021-11-22 12:06
閱讀 599·2021-09-03 10:29
閱讀 6526·2021-09-02 09:52
閱讀 2013·2019-08-30 15:52
閱讀 3411·2019-08-29 16:39
閱讀 1190·2019-08-29 15:35
閱讀 2061·2019-08-29 15:17
閱讀 1416·2019-08-29 11:17