Google Chrome to block JavaScript redirects on webpage URL clicks

Google Chrome will soon be able to block JavaScript redirects when users click on a webpage link that opens a URL in a new window or tab.

For those unfamiliar, when inserting a link into an HTML page, an author can include the target=”_blank” attribute to tell a web browser to open a link in a new tab. Although useful for site owners, this attribute has a known security issue due to the fact that a newly opened page can use a JavaScript redirect to open a different URL than the one specified in a site’s HTML code.

This means that a threat actor could redirect users to phishing pages or sites hosting malicious files simply by adding a JavaScript redirect to links on a web page.

Fortunately, an HTML link attribute re:=”noopener” was created to prevent new tabs from using JavaScript to redirect to another UR.

Prevent JavaScript redirects

In 2018, Apple changed the way Safari treats all HTML links that use the target=”_blank” attribute to automatically imply the noopener attribute. When enabled, this feature prevents embedded links from redirecting to a different URL.

Microsoft Edge developer Eric Lawrence recently added this same feature to Chromium, which means it will soon find its way to Google Chrome, Brave, Vivaldi, Microsoft Edge, and all other Chromium-based browsers. Lawrence provided more details on how this feature works in Chromium in his pledge, saying:

“To mitigate tab-napping attacks, in which a new tab/window opened by a victim context can navigate within that opening context, the HTML standard has been changed to specify that anchors that target _blank must behave as if |rel=”noopener”| is set. A page wishing to disable this behavior can set |rel=”opener”|.”

Currently, this feature is enabled in Chrome Canary, but is expected to be included with the release of Chrome 88 in January next year.

Via BleepingComputer

Comments are closed.