Safe JS, why links with target blank are dangerous, why write rel noopener
Clicking on links in browsers, email programs, and elsewhere may be unsafe. Many people are wary of links, and some users completely refuse to follow the links, thinking that there is certainly a virus. Here you need to maintain a balance, not be paranoid and at the same time not click on some links.
As you can see, the vulnerability is quite serious. The question arises, how to fix it ? Manufacturers of all modern browsers are already promptly releasing updates for all their products that no longer have this vulnerability. But what to do, because not all users update browsers immediately, and some may not update at all.
Already now, without waiting for updates, you can fix the vulnerability yourself. For this, it is important for each link, especially with the attribute target = "_blank" , to prescribe the rel attribute with the value noopener: rel = "noopener". What does it do? This attribute prohibits the target page from accessing the original one, so there will be no access and therefore nothing can be changed. That is why now you can often see links not only with nofollow, but also with the added noopener. Just now, the question was answered why write rel = "noopener" .
What if you need to combine two values in one attribute? Just list them separated by a space, like this: rel = "nofollow noopener" . But that's not all, not all browsers understand noopener, so it's better to add noreferrer as well. As a result, a link with no indexing and protection against vulnerabilities for all browsers will look like this: rel = "nofollow noopener noreferrer" .
There is one more solution, global, which will allow protecting all links on the page without prescribing noopener. To do this, it is enough to set the window.opener object to zero in the JS file of your site, which is connected to all pages of the site until the page is fully loaded, as follows: write window.opener = null .
Thus, you need to take care of the security of your projects now, apply the measures described in this article.
- 09.07.22IT / Misc Convert office files DOC, DOCX, DOCM, RTF to DOCX, DOCM, DOC, RTF, PDF, HTML, XML, TXT formats without loss and markup changes
- 07.07.22IT / Safety How to protect PHP, JS, HTML, CSS source code - obfuscation, minification, compression and encryption
- 06.07.22IT / Safety Connection not secure, problem with Lets Encrypt - how to fix expired 09/30/2021 DST Root CA X3, remove it manually and install ISRG Root X1. Example on MS Windows 7
- 08.07.21IT / Misc How to make a free translation for a website without an API, translate documents in Google Translate
- 06.07.21IT / Misc How to make a subscription button on a website, a subscriber base and automatic mailing