missing-reverse-tabnabbing-protection¶
Ensure secure link target
When a link is created with target="_blank"
to open it in a new window, then rel="noopener noreferrer"
should be set as well to prevent reverse tabnabbing in older browsers. Reverse tabnabbing occurs when a link opened in a new tab or window has a reference to the original application using the window.opener
DOM property. A malicious page can use this to open a phishing page in the original tab without the victim noticing.
Examples¶
Insecure Example
var Test1 = <a target='_blank' href="http://example.com/"></a>
Secure Example
var OkTest3 = <a target="_blank" rel="noopener noreferrer" href="http://example.com"></a>