Styjun

Installing ubuntu with HD + SSD

Doing research in academia and not liking competition

How do I write a romance that doesn't look obvious

Would letting a multiclass character rebuild their character to be single-classed be game-breaking?

How can an advanced civilization forget how to manufacture its technology?

In which ways do anagamis still experience ignorance?

What is the German equivalent of 干物女 (dried fish woman)?

Construct a pentagon avoiding compass use

Do native speakers use ZVE or CPU?

Find values of x so that the matrix is invertible

Military Weapon System

Extract an attribute value from XML

What is this welding tool I found in my attic?

I quit, and boss offered me 3 month "grace period" where I could still come back

When is pointing out a person's hypocrisy not considered to be a logical fallacy?

Are there any double stars that I can actually see orbit each other?

When did the Roman Empire fall according to contemporaries?

Why would an Inquisitive rogue choose to use Insightful Fighting as opposed to using their Cunning Action to Hide?

Why does the trade federation become so alarmed upon learning the ambassadors are Jedi Knights?

Should you avoid redundant information after dialogue?

Cubic programming and beyond?

Won 50K! Now what should I do with it

Alternatives to using writing paper for writing practice

Report how much space is used and available in storage in ZFS on FreeBSD

Link with target=“_blank” and rel=“noopener noreferrer” still vulnerable?

React-Router open Link in new tabReact-Router v4 - Link vs Redirect vs HistoryHTML5 application Security QuestionsIcon which works as a link displayed wrong when the text next to it changesTarget _blank netiquetteCan I create links with 'target=“_blank”' in Markdown?target=“_blank” vs. target=“_new”jQuery Checkbox/Target _BlankLinking to a custom Facebook tab from another using target=“_blank” works perfect, anything else doesn'ttarget=“_self” mysteriously changed into “_blank” on its ownOpen link in new tab or windowjavascript:void(0) and target=“_blank” behaviourHTML 5 <a> Tag target=“framename” not working with rel=“noreferrer”Can noopener and noreferrer attributes be used with the target attribute?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

30

5

I see people recommending that whenever one uses target="blank" in a link to open it in a different window, she should put rel="noopener noreferrer". I wonder how does this prevent me from using Developer Tools in Chrome, for example, and removing the rel attribute. Then clicking the link...

Is that an easy way to still keep the vulnerability?

html

share|improve this question

edited Apr 19 at 13:31

Miro J.

asked Jun 5 '18 at 22:08

Miro J.Miro J.

1,06322 gold badges1818 silver badges3535 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What kind of protection do you think it would (or would not, in this case) grant?
  
  – D_N
  Jun 5 '18 at 22:14
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I was considering browser extensions that can manipulate the DOM.
  
  – Miro J.
  Jul 25 '18 at 13:38
  

  
  
  
  

add a comment | 

30

5

I see people recommending that whenever one uses target="blank" in a link to open it in a different window, she should put rel="noopener noreferrer". I wonder how does this prevent me from using Developer Tools in Chrome, for example, and removing the rel attribute. Then clicking the link...

Is that an easy way to still keep the vulnerability?

html

share|improve this question

edited Apr 19 at 13:31

Miro J.

asked Jun 5 '18 at 22:08

Miro J.Miro J.

1,06322 gold badges1818 silver badges3535 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What kind of protection do you think it would (or would not, in this case) grant?
  
  – D_N
  Jun 5 '18 at 22:14
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I was considering browser extensions that can manipulate the DOM.
  
  – Miro J.
  Jul 25 '18 at 13:38
  

  
  
  
  

add a comment | 

I see people recommending that whenever one uses target="blank" in a link to open it in a different window, she should put rel="noopener noreferrer". I wonder how does this prevent me from using Developer Tools in Chrome, for example, and removing the rel attribute. Then clicking the link...

Is that an easy way to still keep the vulnerability?

html

share|improve this question

edited Apr 19 at 13:31

Miro J.

asked Jun 5 '18 at 22:08

Miro J.Miro J.

1,06322 gold badges1818 silver badges3535 bronze badges

share|improve this question

edited Apr 19 at 13:31

Miro J.

asked Jun 5 '18 at 22:08

Miro J.Miro J.

1,06322 gold badges1818 silver badges3535 bronze badges

share|improve this question

edited Apr 19 at 13:31

Miro J.

asked Jun 5 '18 at 22:08

Miro J.Miro J.

1,06322 gold badges1818 silver badges3535 bronze badges

asked Jun 5 '18 at 22:08

Miro J.Miro J.

1,06322 gold badges1818 silver badges3535 bronze badges

asked Jun 5 '18 at 22:08

Miro J.Miro J.

1,06322 gold badges1818 silver badges3535 bronze badges

2 Answers
2

active

oldest

votes

39

You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).

You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.

share|improve this answer

answered Jun 5 '18 at 22:19

Jon UleisJon Uleis

11.2k11 gold badge2222 silver badges3737 bronze badges

add a comment | 

16

Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. Adding rel="noopener noreferrer" fixes that vulnerability.

You could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.

Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.

share|improve this answer

edited Dec 10 '18 at 21:47

Elias Zamaria

45.6k2525 gold badges9090 silver badges131131 bronze badges

answered Jun 5 '18 at 22:23

Obsidian AgeObsidian Age

30k77 gold badges2626 silver badges4646 bronze badges

add a comment | 

protected by Community♦ May 3 at 9:48

Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



Would you like to answer one of these unanswered questions instead?

39

You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).

You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.

share|improve this answer

answered Jun 5 '18 at 22:19

Jon UleisJon Uleis

11.2k11 gold badge2222 silver badges3737 bronze badges

add a comment | 

39

You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).

You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.

share|improve this answer

answered Jun 5 '18 at 22:19

Jon UleisJon Uleis

11.2k11 gold badge2222 silver badges3737 bronze badges

add a comment | 

You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).

You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.

share|improve this answer

answered Jun 5 '18 at 22:19

Jon UleisJon Uleis

11.2k11 gold badge2222 silver badges3737 bronze badges

share|improve this answer

answered Jun 5 '18 at 22:19

Jon UleisJon Uleis

11.2k11 gold badge2222 silver badges3737 bronze badges

answered Jun 5 '18 at 22:19

Jon UleisJon Uleis

11.2k11 gold badge2222 silver badges3737 bronze badges

answered Jun 5 '18 at 22:19

Jon UleisJon Uleis

11.2k11 gold badge2222 silver badges3737 bronze badges

16

Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. Adding rel="noopener noreferrer" fixes that vulnerability.

You could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.

Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.

share|improve this answer

edited Dec 10 '18 at 21:47

Elias Zamaria

45.6k2525 gold badges9090 silver badges131131 bronze badges

answered Jun 5 '18 at 22:23

Obsidian AgeObsidian Age

30k77 gold badges2626 silver badges4646 bronze badges

add a comment | 

16

Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. Adding rel="noopener noreferrer" fixes that vulnerability.

You could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.

Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.

share|improve this answer

edited Dec 10 '18 at 21:47

Elias Zamaria

45.6k2525 gold badges9090 silver badges131131 bronze badges

answered Jun 5 '18 at 22:23

Obsidian AgeObsidian Age

30k77 gold badges2626 silver badges4646 bronze badges

add a comment | 

Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. Adding rel="noopener noreferrer" fixes that vulnerability.

You could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.

Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.

share|improve this answer

edited Dec 10 '18 at 21:47

Elias Zamaria

45.6k2525 gold badges9090 silver badges131131 bronze badges

answered Jun 5 '18 at 22:23

Obsidian AgeObsidian Age

30k77 gold badges2626 silver badges4646 bronze badges

share|improve this answer

edited Dec 10 '18 at 21:47

Elias Zamaria

45.6k2525 gold badges9090 silver badges131131 bronze badges

answered Jun 5 '18 at 22:23

Obsidian AgeObsidian Age

30k77 gold badges2626 silver badges4646 bronze badges

edited Dec 10 '18 at 21:47

Elias Zamaria

45.6k2525 gold badges9090 silver badges131131 bronze badges

edited Dec 10 '18 at 21:47

Elias Zamaria

45.6k2525 gold badges9090 silver badges131131 bronze badges

answered Jun 5 '18 at 22:23

Obsidian AgeObsidian Age

30k77 gold badges2626 silver badges4646 bronze badges

answered Jun 5 '18 at 22:23

Obsidian AgeObsidian Age

30k77 gold badges2626 silver badges4646 bronze badges