Closed david-alvarez-rosa closed 1 year ago
hi, sorry to bump but i don't see how this was vulnerable to "reverse tabnapping"? The idea of reverse tabnapping is where you steal the login credentials of an idle website by inserting a fake copy of that site into the history. The destination link is github, which is implicitly trusted by all of us, and the source will be someones doxygen site which is static content with no potential to steal logins? I don't want to be the one to bump closed PRs but under what situation will this actually be exploitable? The change is small and harmless, but if this was really an issue people would be adding these tags to all their outbound links especially those which go to untrusted content. It is also my understanding that most web browsers dont send the referer between https sites for privacy reasons?
What im trying to say is, this is either not an issue at all, or is a bigger issue where adding the attributes to this one hyperlink is an incomplete fix. Your thoughts?
Thank you for your contribution!