Project

General

Profile

Bug #8714

Security bug: WAnchor should set rel="noopener" when opening a link that opens in a new window

Added by Maks Verver 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
06/20/2021
Due date:
% Done:

0%

Estimated time:

Description

Wt::WLink supports the very useful LinkTarget::NewWindow, which can be used to have a WAnchor element open a link in a new window. In HTML, such a link is rendered as follows:

<a id=".." href=".." target="_blank">..</a>

There is a problem with this: this gives the new window access to the opener through the Javascript window.opener object, potentially leaking CSRF tokens etc. See https://mathiasbynens.github.io/rel-noopener/ for details.

In newer browsers, the behavior has been changed to not allow access to the opener unless rel="opener" is set on the link explicitly, which is a safer default.

To behave consistently and securely across browsers, Wt should set rel="noopener" on all links that open in a new window.

Other improvements to consider:

  • Wt could provide an option to set rel="opener" (maybe by introducing a new LinkTarget value like NewWindowWithOpener) but I'm not sure it makes sense for Wt apps.
  • Wt could provide an option to set rel="noreferrer". It's currently possible to do this via setAttributeValue() on the WAnchor object, but it might make sense for this to be part of the WLink instead.

No data to display

Also available in: Atom PDF