target='_blank' rel='noopener'


Why is target='_blank' vulnerable?

target=_blank allows the new opened tab direct access to the origin's tab through the opener object.

For example, try clicking on this vulnerable link

<a href="https://httpsecurityheaders.applephi.net/Vulnerable/SameOrigin" target="_blank">Link</a>

In this innocent example I modify the web page a little, but you could replace the page with a phishing page...

How can I fix this?

You can easily fix this by setting the rel attribute to noopener. This way the new tab does not receive the opener object.

For example, try clicking on this safe link

<a href="https://httpsecurityheaders.applephi.net/Vulnerable/SameOrigin" target="_blank" rel="noopener">Link</a>