Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-3891

Minor security issue with links using target="_blank"

    XMLWordPrintable

    Details

    • Attachments:
      0
    • Comments:
      3
    • Documentation Status:
      Not Required

      Description

      Using target="_blank" to make links open in a new window has several unwanted security and performance side effects due to the way this is implemented in browsers. There is a great explanation on Google's Chrome Audit resources page:

      When your page links to another page using target="_blank", the new page runs on the same process as your page. If the new page is executing expensive JavaScript, your page's performance may also suffer.

      On top of this, target="_blank" is also a security vulnerability. The new page has access to your window object via window.opener, and it can navigate your page to a different URL using window.opener.location = newURL.

      Here is a proof of concept detailing and demonstrating the vulnerability.

      At the very least, DSpace should use target="_blank" rel="noopener" for links to external resources that are meant to open in a new window.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              aorth Alan Orth
              Reviewer:
              Tim Donohue
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: