Join +2,660 software developers getting weekly tips covering security, quality and system design.
Think of a regular day at work.Fixing some bugs, adding some new features to your web application. Some changes may be very sophisticated, some pretty easy. You sip your morning coffee ☕ and your Client or Product Owner says: - "Reader, can you open this link in a new tab?". You say - "Sure!" and immediately add target="_blank". <a href="someapp.com" target="_blank" >GO And here is where the problem begins. 💀 someapp.com can TAKE CONTROL over your application! 😈 - "Bartosz? What are you talking about?!" Let me explain. 👽 The newly opened tab with someapp.com can access window.opener property that points to the application that opened it (your app!). This may lead to several consequences:
- "Oh sh*t! This is a serious issue! How to prevent this?" - "Just use rel=noopener in your links" as below. <a href="someapp.com" target="_blank" rel="noopener">GO This will result in window.opener being null and none of the listed attack vectors could be possible. 👏 A reflection on this? Hmm... I like to say that there are two kinds of lack of knowledge: aware and unaware. You might not know something and be aware of that fact (the fact that you don't know). But if you are not aware that you don't know... - You don't know what you don't know - that is the pathway to a disaster. Not only in your professional life, but also private life. What I mean by that is it's always better to assume an unaware lack of knowledge, so that you always dig deeper (instead of assuming that you know your unknowings). Rate this email: That's all, my friend,
|
Join +2,660 software developers getting weekly tips covering security, quality and system design.