Since 0.19 Elm aims to mitigate some attack vectors which exist in HTML and JS. In that spirit, one good addition would be automatically adding rel="noopener" whenever the target attribute is set to a _blank value. This could be implemented within the Browser package or maybe even Html.
The vulnerabilty
Pages that have been opened via target="_blank" can control their opener via
var openerWindow = window.opener // do malicousStuff with the openerWindow
Since 0.19 Elm aims to mitigate some attack vectors which exist in HTML and JS. In that spirit, one good addition would be automatically adding
rel="noopener"
whenever thetarget
attribute is set to a_blank
value. This could be implemented within theBrowser
package or maybe evenHtml
.The vulnerabilty Pages that have been opened via
target="_blank"
can control their opener viaSome Browser such as Firefox even added that behavior of automatically adding
rel="noopener"
to their engines. https://www.ghacks.net/2018/11/30/firefox-security-relnoopener-for-target_blank/Relevant links: