使用window.open但阻止使用window.opener [英] Use window.open but block use of window.opener
问题描述
前一段时间,我遇到了有趣的安全漏洞 >
A while back I ran across an interesting security hole
<a href="http://someurl.here" target="_blank">Link</a>
看起来足够无害,但存在一个漏洞,因为默认情况下,正在打开的页面允许通过 window.opener
对其进行回调.跨域有一些限制,但是仍然有一些恶作剧可以做
Looks innocuous enough, but there's a hole because, by default, the page that's being opened is allowing the opened page to call back into it via window.opener
. There are some restrictions, being cross-domain, but there's still some mischief that can be done
window.opener.location = 'http://gotcha.badstuff';
现在,HTML有一种解决方法
Now, HTML has a workaround
<a href="http://someurl.here" target="_blank" rel="noopener noreferrer">Link</a>
这可以防止新窗口传递 window.opener
到它.这对于HTML来说很好,而且很好,但是如果您使用的是 window.open
,该怎么办?
That prevents the new window from having window.opener
passed to it. That's fine and good for HTML, but what if you're using window.open
?
<button type="button" onclick="window.open('http://someurl.here', '_blank');">
Click Me
</button>
您如何阻止在此处传递 window.opener
的使用?
How would you block the use of window.opener
being passed here?
推荐答案
window.open()
现在调用因此,调用 window.open('https://www.your.url','_blank','noopener')
应该打开新窗口/标签,其中的 window.opener
为空.
The window.open()
call now supports the feature "noopener".
So calling window.open('https://www.your.url','_blank','noopener')
should open the new window/tab with a null window.opener
.
我在查找支持的浏览器(和版本)的可靠列表时遇到了麻烦-MDN指出
I'm having trouble finding a reliable list of supporting browsers (and versions) - MDN states here that
现代浏览器(包括Chrome和Firefox 52+)支持此功能.
This is supported in modern browsers including Chrome, and Firefox 52+.
从我的实验中,我发现它适用于:
From my experimentation, I see it works for:
- Chrome 61
- FireFox 56
- Safari 11.1(为此感谢 Jiayi Hu )
- Chrome 61
- FireFox 56
- Safari 11.1 (thanks Jiayi Hu for this)
但不适用于:
- IE 11.608
- 边缘 40
- IE 11.608
- Edge 40
(在运行Windows 10的PC上的所有测试...)
(All tests on a PC running Windows 10...)
为了向后兼容,最好将其与 t3__rry的答案结合.
For backwards compatibility it may be better to combine this with t3__rry's answer.
这篇关于使用window.open但阻止使用window.opener的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!