org.sonar.l10n.web.rules.Web.S5148.html Maven / Gradle / Ivy
A newly opened window having access back to the originating window could allow basic phishing attacks (the window.opener object is not
null and thus window.opener.location can be set to a malicious website by the opened page).
For instance, an attacker can put a link (say: "http://example.com/mylink") on a popular website that changes, when opened, the original page to
"http://example.com/fake_login". On "http://example.com/fake_login" there is a fake login page which could trick real users to enter their
credentials.
Ask Yourself Whether
- The application opens untrusted external URL.
There is a risk if you answered yes to this question.
Sensitive Code Example
<a href="http://example.com/" rel="opener" target="_blank"> <!-- Sensitive -->
<a href="{{variable}}" rel="opener" target="_blank"> <!-- Sensitive -->
Compliant Solution
In Chrome 88+, Firefox 79+ or Safari 12.1+ target=_blank on anchors implies rel=noopener which makes the protection
enabled by default.
<a href="https://example.com/" target="_blank" >
Exceptions
No Issue will be raised when href contains a hardcoded relative url as there it has less chances of being vulnerable. An url is
considered hardcoded and relative if it doesn’t start with http:// or https://, and if it does not contain any of the
characters {}$()[]
<a href="internal.html" rel="opener" target="_blank" >
See