Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] target="_blank" without rel="noopener" #315

Closed
denji opened this issue Nov 30, 2016 · 0 comments · Fixed by #327
Closed

[security] target="_blank" without rel="noopener" #315

denji opened this issue Nov 30, 2016 · 0 comments · Fixed by #327
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Milestone

Comments

@denji
Copy link
Contributor

denji commented Nov 30, 2016

https://github.com/go-gitea/gitea/blob/bad1bc6/models/repo.go#L502

If you have links to another origin, you should use rel="noopener", especially if they open in a new tab/window.

<a href="http://example.com" target="_blank" rel="noopener">
   Example site
</a>

Without this, the new page can access your window object via window.opener. Thankfully the origin security model of the web prevents it reading your page, but no-thankfully some legacy APIs mean it can navigate your page to a different URL using window.opener.location = newURL.

Refs

@tboerger tboerger added this to the 1.0.0 milestone Nov 30, 2016
@lunny lunny added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Nov 30, 2016
@lunny lunny closed this as completed in #327 Dec 2, 2016
@denji denji changed the title _blank without noopener - security risk (window.opener) target="_blank" without rel="noopener" - security risk (window.opener) Dec 2, 2016
@denji denji changed the title target="_blank" without rel="noopener" - security risk (window.opener) [security] target="_blank" without rel="noopener" (window.opener) Dec 2, 2016
@denji denji changed the title [security] target="_blank" without rel="noopener" (window.opener) [security] target="_blank" (window.opener) without rel="noopener" Dec 2, 2016
@denji denji changed the title [security] target="_blank" (window.opener) without rel="noopener" [security] target="_blank" without rel="noopener" Dec 2, 2016
@go-gitea go-gitea locked and limited conversation to collaborators Nov 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants