Link with target=“_blank” and rel=“noopener noreferrer” still vulnerable?React-Router open Link in new tabReact-Router v4 - Link vs Redirect vs HistoryHTML5 application Security QuestionsIcon which works as a link displayed wrong when the text next to it changesTarget _blank netiquetteCan I create links with 'target=“_blank”' in Markdown?target=“_blank” vs. target=“_new”jQuery Checkbox/Target _BlankLinking to a custom Facebook tab from another using target=“_blank” works perfect, anything else doesn'ttarget=“_self” mysteriously changed into “_blank” on its ownOpen link in new tab or windowjavascript:void(0) and target=“_blank” behaviourHTML 5 <a> Tag target=“framename” not working with rel=“noreferrer”Can noopener and noreferrer attributes be used with the target attribute?

Installing ubuntu with HD + SSD

Doing research in academia and not liking competition

How do I write a romance that doesn't look obvious

Would letting a multiclass character rebuild their character to be single-classed be game-breaking?

How can an advanced civilization forget how to manufacture its technology?

In which ways do anagamis still experience ignorance?

What is the German equivalent of 干物女 (dried fish woman)?

Construct a pentagon avoiding compass use

Do native speakers use ZVE or CPU?

Find values of x so that the matrix is invertible

Military Weapon System

Extract an attribute value from XML

What is this welding tool I found in my attic?

I quit, and boss offered me 3 month "grace period" where I could still come back

When is pointing out a person's hypocrisy not considered to be a logical fallacy?

Are there any double stars that I can actually see orbit each other?

When did the Roman Empire fall according to contemporaries?

Why would an Inquisitive rogue choose to use Insightful Fighting as opposed to using their Cunning Action to Hide?

Why does the trade federation become so alarmed upon learning the ambassadors are Jedi Knights?

Should you avoid redundant information after dialogue?

Cubic programming and beyond?

Won 50K! Now what should I do with it

Alternatives to using writing paper for writing practice

Report how much space is used and available in storage in ZFS on FreeBSD



Link with target=“_blank” and rel=“noopener noreferrer” still vulnerable?


React-Router open Link in new tabReact-Router v4 - Link vs Redirect vs HistoryHTML5 application Security QuestionsIcon which works as a link displayed wrong when the text next to it changesTarget _blank netiquetteCan I create links with 'target=“_blank”' in Markdown?target=“_blank” vs. target=“_new”jQuery Checkbox/Target _BlankLinking to a custom Facebook tab from another using target=“_blank” works perfect, anything else doesn'ttarget=“_self” mysteriously changed into “_blank” on its ownOpen link in new tab or windowjavascript:void(0) and target=“_blank” behaviourHTML 5 <a> Tag target=“framename” not working with rel=“noreferrer”Can noopener and noreferrer attributes be used with the target attribute?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








30















I see people recommending that whenever one uses target="blank" in a link to open it in a different window, she should put rel="noopener noreferrer". I wonder how does this prevent me from using Developer Tools in Chrome, for example, and removing the rel attribute. Then clicking the link...



Is that an easy way to still keep the vulnerability?






html







share|improve this question
























  • What kind of protection do you think it would (or would not, in this case) grant?

    – D_N
    Jun 5 '18 at 22:14











  • I was considering browser extensions that can manipulate the DOM.

    – Miro J.
    Jul 25 '18 at 13:38

















30















I see people recommending that whenever one uses target="blank" in a link to open it in a different window, she should put rel="noopener noreferrer". I wonder how does this prevent me from using Developer Tools in Chrome, for example, and removing the rel attribute. Then clicking the link...



Is that an easy way to still keep the vulnerability?






html







share|improve this question
























  • What kind of protection do you think it would (or would not, in this case) grant?

    – D_N
    Jun 5 '18 at 22:14











  • I was considering browser extensions that can manipulate the DOM.

    – Miro J.
    Jul 25 '18 at 13:38













30












30








30


5






I see people recommending that whenever one uses target="blank" in a link to open it in a different window, she should put rel="noopener noreferrer". I wonder how does this prevent me from using Developer Tools in Chrome, for example, and removing the rel attribute. Then clicking the link...



Is that an easy way to still keep the vulnerability?






html







share|improve this question
















I see people recommending that whenever one uses target="blank" in a link to open it in a different window, she should put rel="noopener noreferrer". I wonder how does this prevent me from using Developer Tools in Chrome, for example, and removing the rel attribute. Then clicking the link...



Is that an easy way to still keep the vulnerability?






html




html






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 19 at 13:31







Miro J.

















asked Jun 5 '18 at 22:08









Miro J.Miro J.

1,0632 gold badges18 silver badges35 bronze badges




1,0632 gold badges18 silver badges35 bronze badges












  • What kind of protection do you think it would (or would not, in this case) grant?

    – D_N
    Jun 5 '18 at 22:14











  • I was considering browser extensions that can manipulate the DOM.

    – Miro J.
    Jul 25 '18 at 13:38

















  • What kind of protection do you think it would (or would not, in this case) grant?

    – D_N
    Jun 5 '18 at 22:14











  • I was considering browser extensions that can manipulate the DOM.

    – Miro J.
    Jul 25 '18 at 13:38
















What kind of protection do you think it would (or would not, in this case) grant?

– D_N
Jun 5 '18 at 22:14





What kind of protection do you think it would (or would not, in this case) grant?

– D_N
Jun 5 '18 at 22:14













I was considering browser extensions that can manipulate the DOM.

– Miro J.
Jul 25 '18 at 13:38





I was considering browser extensions that can manipulate the DOM.

– Miro J.
Jul 25 '18 at 13:38












2 Answers
2






active

oldest

votes


















39














You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/



Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).



You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.






share|improve this answer






























    16














    Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. Adding rel="noopener noreferrer" fixes that vulnerability.



    You could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.



    Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.






    share|improve this answer

























      protected by Community May 3 at 9:48



      Thank you for your interest in this question.
      Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



      Would you like to answer one of these unanswered questions instead?














      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      39














      You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/



      Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).



      You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.






      share|improve this answer



























        39














        You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/



        Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).



        You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.






        share|improve this answer

























          39












          39








          39







          You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/



          Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).



          You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.






          share|improve this answer













          You may be misunderstanding the vulnerability. You can read more about it here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/



          Essentially, adding rel="noopener noreferrer" to links protects your site's users against having the site you've linked to potentially hijacking the browser (via rogue JS).



          You're asking about removing that attribute via Developer Tools - that would only potentially expose you (the person tampering with the attribute) to the vulnerability.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jun 5 '18 at 22:19









          Jon UleisJon Uleis

          11.2k1 gold badge22 silver badges37 bronze badges




          11.2k1 gold badge22 silver badges37 bronze badges























              16














              Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. Adding rel="noopener noreferrer" fixes that vulnerability.



              You could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.



              Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.






              share|improve this answer





























                16














                Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. Adding rel="noopener noreferrer" fixes that vulnerability.



                You could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.



                Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.






                share|improve this answer



























                  16












                  16








                  16







                  Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. Adding rel="noopener noreferrer" fixes that vulnerability.



                  You could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.



                  Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.






                  share|improve this answer















                  Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. Adding rel="noopener noreferrer" fixes that vulnerability.



                  You could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.



                  Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Dec 10 '18 at 21:47









                  Elias Zamaria

                  45.6k25 gold badges90 silver badges131 bronze badges




                  45.6k25 gold badges90 silver badges131 bronze badges










                  answered Jun 5 '18 at 22:23









                  Obsidian AgeObsidian Age

                  30k7 gold badges26 silver badges46 bronze badges




                  30k7 gold badges26 silver badges46 bronze badges















                      protected by Community May 3 at 9:48



                      Thank you for your interest in this question.
                      Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



                      Would you like to answer one of these unanswered questions instead?



                      -

                      Popular posts from this blog

                      Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

                      Image
                      Pages using ISBN magic linksMbegu za lughaKamusiIsimu nenoKiarabukitabulughaKiswahilialfabetimaanaufafanuzimanenomuhtasarisarufividahizoalfabeti Kamusi Kutoka Wikipedia, kamusi elezo huru Jump to navigation Jump to search Kamusi za Kiswahili Kamusi ya Kiswahili-Kiswahili (kamusi wahidiya) Kamusi ya Kiswahili - Kiingereza (kamusi thania) Kamusi (kutoka neno la Kiarabu قاموس qamus ) ni kitabu ambacho kinaorodhesha maneno ya lugha yaliyokusanywa kutoka kwa watumiaji wa lugha fulani, kwa mfano lugha ya Kiswahili. Maneno hupangwa kwa mtindo wa alfabeti, hutoa maana, asili na ufafanuzi wa utumizi wa maneno na jinsi yanavyotumika au yanavyotamkwa. [1] Yaliyomo 1 Aina za kamusi 2 Muundo wa kamusi 2.1 1. Utangulizi wa kamusi 2.2 2. Matini ya kamusi 2.3 3. Sherehe ya kamusi 3 Faida za kamusi 4 Dhima ya picha katika kamusi 5 Marejeo 6 Tazama pia 7 Viungo vya nje Aina za kamusi | Kuna aina mbalimbali za kamusi ambazo ni: Kamusi wahidiya yaani ya l
                      Read more

                      Swift 4 - func physicsWorld not invoked on collision? The Next CEO of Stack OverflowHow to call Objective-C code from Swift#ifdef replacement in the Swift language@selector() in Swift?#pragma mark in Swift?Swift for loop: for index, element in array?dispatch_after - GCD in Swift?Swift Beta performance: sorting arraysSplit a String into an array in Swift?The use of Swift 3 @objc inference in Swift 4 mode is deprecated?How to optimize UITableViewCell, because my UITableView lags

                      Image
                      Strange use of "whether ... than ..." in official text Could a dragon use its wings to swim? Car headlights in a world without electricity How to avoid supervisors with prejudiced views? Is the offspring between a demon and a celestial possible? If so what is it called and is it in a book somewhere? Can I board the first leg of the flight without having final country's PR card? subequations: How to continue numbering within subequation? How do you define an element with an ID attribute using LWC? Relevant Part for a Badminton Serve What CSS properties can the br tag have? What are the unusually-enlarged wing sections on this P-38 Lightning? Why did early computer designers eschew integers? Is it a bad idea to plug the other end of ESD strap to wall ground? Magento 1.9 observer on only new product added ( no updated product ) Airplane gently rocking its wings during whole flight It is correct to match light sources with the same color temperat
                      Read more

                      Access current req object everywhere in Node.js ExpressWhy are global variables considered bad practice? (node.js)Using req & res across functionsHow do I get the path to the current script with Node.js?What is Node.js' Connect, Express and “middleware”?Node.js w/ express error handling in callbackHow to access the GET parameters after “?” in Express?Modify Node.js req object parametersAccess “app” variable inside of ExpressJS/ConnectJS middleware?Node.js Express app - request objectAngular Http Module considered middleware?Session variables in ExpressJSAdd properties to the req object in expressjs with Typescript

                      Image
                      What steps should I take to lawfully visit the United States as a tourist immediately after visiting on a B-1 visa? Would dual wielding daggers be a viable choice for a covert bodyguard? For a hashing function like MD5, how similar can two plaintext strings be and still generate the same hash? Using Newton's shell theorem to accelerate a spaceship Why doesn't sea level show seasonality? What prevents someone from claiming to be the murderer in order to get the real murderer off? Has anyone in space seen or photographed a simple laser pointer from Earth? What does (void *)1 mean Why does the U.S. tolerate foreign influence from Saudi Arabia and Israel on its domestic policies while not tolerating that from China or Russia? Modulus Operandi What's the point of having a RAID 1 configuration over incremental backups to a secondary drive? How to ask for a LinkedIn endorsement? Good resources for solving techniques (Metaheuristics, MILP, CP etc) How woul
                      Read more