Google Chrome to block JavaScript redirects on clicks on web page URLs

Google Chrome gets a new feature that increases security when clicking on links from web pages that open URLs in a new window or tab.

When inserting links into an HTML page, authors can include the target="_blank" attribute that tells the browser to open the link in a new tab when clicked.

HTML displaying a _blank attribute
HTML displaying a _blank attribute

However, this attribute has a known security issue that allows the newly opened page to use javascript to redirect the original page to a different URL. This redirected URL can be anything the threat actor wants, including phishing pages or pages that automatically download malicious files.

For example, suppose we link to another site in our article and use the target = “_ blank” attribute. In this case, the new page can use JavaScript to redirect our article to a phishing page asking for BleepingComputer credentials.

To prevent this from happening, a rel = “noopener” HTML link attribute has been created that prevents a new tab from using JavaScript to redirect the page.

Noopener attribute added to a link
Noopener attribute added to a _blank link

Make _blank attributes automatically use noopener

In 2018, to strengthen security, Apple made a change in Safari which processes all HTML links that use target = “_ blank” to automatically imply the noopener attribute as well. With this feature enabled, even if a website does not use rel = “nooopener” on its URLs, the browser will still secure them.

Last week Microsoft Edge developer Eric Lawrence added this same functionality at Chromium, which means it will also be integrated with Microsoft Edge, Google Chrome, Brave, and other Chromium-based browsers.

“To mitigate” tab-napping “attacks, in which a new tab / window opened by a victim context can navigate that open context, the HTML standard has changed to specify that anchors that target _blank should behave like if | rel = “noopener” | is set. A page wishing to disable this behavior can set | rel = “opener” | “, Lawrence said in an engagement in the Chromium browser.

Chrome bug report on noopener
Chrome bug report on noopener

This feature is currently enabled in Chrome Canary and is expected to be released with Chrome 88 in January 2021.

Comments are closed.