Click here to Skip to main content
15,891,654 members
Search within:


Articles / Web Development / HTML
 
Technical Blog
View Original

One of the Most Unsafe CSS Attribute: target=_blank

Rate me:
Please Sign up or sign in to vote.
5.00/5 (8 votes)
18 Jul 2016CPOL1 min read 18.4K   4   7
One of the most unsafe CSS attribute: target=_blank

People who are new to blogging tend to use "target=_blank" attribute most often. This is generally a preferred choice of bloggers and content writers. "target=_blank" will open a link in a new tab and hence the user will never get a chance to go back to the previous page. This makes SEO of website or blog very good.

But there is one very big problem that bloggers don't notice and hence, it makes their blog/website vulnerable to the phishing attack. Let us tell you how:

Whenever a link is opened in a new tab, its window.opener points to the currently opened page, i.e., index.html. Now, the newly opened tab can then change the window.opener.location to some phishing page and hence malign index.html.

index.html could possibly be changed into index.html#malign which looks exactly the same as the currently opened page. This could result in hacking of your login credentials. Even Google knows this problem!!

How to Avoid Problem of target=_blank

To avoid this type of attack, add the following attribute in your links:

HTML
rel="noopener"

Firefox doesn't support rel="noopener", so use:

HTML
rel="noopener noreferrer"

A slight change in your links could save you from a large web attack. All the best!!

Let us know if you have any queries or suggestions. Please subscribe for more awesome hacks. Have a nice day!

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Andy Point
Software Developer (Senior)
India India
Hello Developer!

As a co-founder, I would like to welcome you to the Android Tutorial Point community!. I hope you get the best possible value at of our platform. Stick with us for a while, and we promise you will become an $$Android Rockstar$$!

Android Tutorial Point is the right platform if you want to learn about android development. We have a broad collection of tutorials on different aspects of Android Development and it is growing rapidly. Here at Android Tutorial Point we thrive to deliver the best tutorials. In this direction, we are trying to create a community that will cater to your needs, whether you are a beginner or a seasoned veteran. For the beginners that are getting started on Android Development
journey, we would suggest you to begin with our Android Basics Tutorial available at http://www.androidtutorialpoint.com/category/basics/ . Here, we feature articles on how to start with Android programming.


All the best from the Android Tutorial Point team. Don't forget to subscribe our blog for latest android tutorials. You can reach out to us at our Facebook page https://www.facebook.com/androidtutorialpoint/ or Add us on Twitter https://twitter.com/androidtutpoint/ . Any ideas or suggestions? Shoot us an email at androidtutorialspoint@gmail.com

Comments and Discussions

 
First Prev Next
QuestionMore hype than real concern Pin
Noobs R Us21-Jan-17 16:57
professionalNoobs R Us21-Jan-17 16:57 
Not a CSS attribute, to begin with. It has nothing to do with CSS.

To be effective, the linked-to (malicious or hacked) site must have in-depth knowledge of the linking site; otherwise, when the user returns to the original tab or window, it will be plainly obvious that something has changed. This vulnerability relies on the user not noticing that the original tab has changed.

Google understands that it could be a problem (but they don't consider it a high concern), but that's because most people know what a Google login page looks like, so they're easy to visually spoof and a spoofed one is likely to not be noticed by non-savvy users. It's a potential problem for Google because of their vast popularity. Presumably other large services (Facebook, etc.) are aware of this also.

For a typical blog, there's no value in spoofing it because there's no sensitive data. This isn't a matter of "newbie bloggers" making a mistake, they're not endangering themselves or their users because there's nothing at risk, and even if there was something at risk, they would have to link to a URL where somebody with in-depth knowledge of their blog had set up a very specific attack (and, again, there's no value in that at all unless the real blog prompts users for something valuable).

So is it a potential problem? Yes, it's not impossible. Is it "one of the most unsafe attributes"...? Well, I'm not in the habit of thinking of attributes in terms of safety, but this would only be one of the most unsafe if all the others are perfectly safe, because this is such a non-issue in most cases.
Newsarticle Pin
thewazz9-Oct-16 14:11
professionalthewazz9-Oct-16 14:11 
AnswerFurther Explanation Pin
Phương Lâm Nguyễn Bình20-Jul-16 17:00
Phương Lâm Nguyễn Bình20-Jul-16 17:00 
QuestionPlease explain further Pin
Member 1196392419-Jul-16 23:01
Member 1196392419-Jul-16 23:01 
AnswerRe: Please explain further Pin
Akinmade Bond24-Jul-16 12:54
professionalAkinmade Bond24-Jul-16 12:54 
QuestionWhat exactly is the problem??? PinPopular
James Curran18-Jul-16 8:19
James Curran18-Jul-16 8:19 
AnswerRe: What exactly is the problem??? Pin
Akinmade Bond24-Jul-16 12:53
professionalAkinmade Bond24-Jul-16 12:53 
Last Visit: 31-Dec-99 18:00     Last Update: 4-May-24 14:00Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 18 Jul 2016

Article Copyright 2016 by Andy Point
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-04-02:1