🎁 The Js-Craft Guide to React is now available with a 30% off discount!

Window.open() and target=”_blank” have a security vulnerability

We often use the HTML target="_blank" or the Javascript window.open() to open pages in new tabs.

// in html
<a href="www.google.com" target="_blank">open google</a>
// in javascript
window.open("www.google.com")

But when the newly opened pages are pointing to a site that we don't know we are opened to a phishing vulnerability. The new page gains some partial access to the linking page with the window.opener object.

For example, it can use the window.opener.location to point the user of the initial page to a fake phishing site that mimics the looks of the original and do all kinds of nasty stuff. This can be very efficient given that the user trusts the page that is already opened.

In order to prevent this we can:

  1. in HTML use the rel="noopener" with target="_blank"
<a href="someLink.com" target="_blank" rel="noopener noreferrer">
    open securely in a new tab
</a>
  1. in Javascript be sure to reset the "opener" property
const newWindow = window.open("someLink.com");
newWindow.opener = null;

later edit: it seems that noreferrer is now redundant, so noopener should be enough for the HTML use.
later edit 2: we also have access to the windowFeatures parameter for the Window.open(), so we can do:

window.open('https://www.your.url','_blank','noopener')

10 Javascript AI projects with Langchain & React

Not sure what to build? Dive in with these Javascript AI projects! Learn how to build LLM powered apps using Langchain.js and React! Connect your apps to LLMs such as OpenAI, create agents, use vector databases, or setup AI context.

10 Javascript AI projects with Langchain & React

Not sure what to build? Dive in with these Javascript AI projects! Learn how to build LLM powered apps using Langchain.js and React! Connect your apps to LLMs such as OpenAI, create agents, use vector databases, or setup AI context.


Leave a Reply

Your email address will not be published. Required fields are marked *

📘 The Guide to React Home Screencasts Best of Newsletter Search X

📘 - 10 Javascript AI projects with React and LangChain

Hi friend! Before you go, just wanted to let you know about the 10 Javascript AI projects ideas with React and LangChain FREE ebook.

One of the best ways to learn is by doing the work. Choose from these 10 project ideas and start working on topics such as:

  • How does LangChain work
  • Connecting to OpenAI LLM
  • Create AI Agents
  • Simple and Sequential Chains
  • Adding Memory (Chat Context)
  • Prompt Templates
  • Using OutputParsers and Tools for Agents
  • Work with Documents and more...

Keep building and see the new capabilities LLM models can add to your React app! Get all projects as an ebook right to your inbox!

X