danielstjules
commented
9 years ago Thanks for reporting that! Oddly enough, the example works when the demo page is ran on localhost...
Closed sstephenson closed 9 years ago
danielstjules
commented
9 years ago Thanks for reporting that! Oddly enough, the example works when the demo page is ran on localhost...
danielstjules
commented
9 years ago Will look into a solution this evening. But you're right. rel=noreferer does not work for Safari. As for window.opener.. it has to do with Safari's browser restrictions.
If the new tab lies on the same origin as the page in Safari (e.g. both on localhost), the page can successfully set child.opener = null, and the new tab will no longer have a reference to the window.
If the new tab lies on a different origin, Safari prevents the page from modifying the tab's opener attribute. As a result, the new tab keeps a reference to the parent's window, and is still able to apply the attack.
So Safari's own "security precautions" are working against it. At the very least, if I can't come up with a workaround, I would have blankshield force those urls to open in the existing tab when using Safari.
danielstjules
commented
9 years ago @sstephenson @shajith A possible workaround exists with 0.3.1
danielstjules
commented
9 years ago I haven't been able to find an alternative than the following: https://github.com/danielstjules/blankshield/blob/a410d91c522ea3ea9068d0b424e3c510a81c421a/blankshield.js#L52-L60 @sstephenson @shajith @jespr Closing this issue for now.
danielstjules
commented
9 years ago Looks like @hkjorgensen came up with a fallback using iframes. Will implement soon. :)
danielstjules
commented
9 years ago Fixed in the 0.4.0 release. Thanks again!
Neither the
rel=noreferrernor thewindow.opentechniques appear to prevent tab-nabbing in Safari 8. Screencast of your demo page is attached.