search

elm / browser

Create Elm programs that run in browsers!
https://package.elm-lang.org/packages/elm/browser/latest/
BSD 3-Clause "New" or "Revised" License
312 stars 64 forks source link

Proposal: Auto fix target _blank vulnerability #83

Open ChristophP opened 5 years ago

ChristophP commented 5 years ago

Since 0.19 Elm aims to mitigate some attack vectors which exist in HTML and JS. In that spirit, one good addition would be automatically adding rel="noopener" whenever the target attribute is set to a _blank value. This could be implemented within the Browser package or maybe even Html.

The vulnerabilty Pages that have been opened via target="_blank" can control their opener via 

var openerWindow = window.opener // do malicousStuff with the openerWindow

Some Browser such as Firefox even added that behavior of automatically adding rel="noopener" to their engines. https://www.ghacks.net/2018/11/30/firefox-security-relnoopener-for-target_blank/

Relevant links:

lydell commented 3 years ago

Chrome, Edge and Safari also does this automatically these days according to https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#browser_compatibility

ChristophP commented 3 years ago

Ah interesting, that's good