A tag jump referer vulnerability


A tag needs to be added when opening a new pagerel=”noopener noreferrer” 

Otherwise, in the newly opened page( http://www.baidu.com )Can be passed through window.opener Obtain partial control of the source page, even if the newly opened page is cross domain (for example, location does not have cross domain problem).

In chrome 49 +, opera 36 +, open the link with rel = noopener added, window.opener Will be null. In older browsers, you can use rel = norerror to disable the referer attribute of the HTTP header

As follows:




In element UI, El link is equivalent to a tag



In addition, you can use the window.open Open the page and manually set opener to null.

var otherWindow = window.open('http://www.baidu.com');
otherWindow.opener = null;
otherWindow.location = url;



reference resources:




Recommended Today

Blog based on beego, go blog

Go Blog A beego based development, can quickly create personal blog, CMS system Include functions see Official website of go bloggo-blog.cn Demo siteleechan.online Update log time function January 23, 2020 New top post function February 2, 2020 New custom navigation function February 4, 2020 New site announcement function February 6, 2020 New link module February […]