使用window.open但阻止使用window.opener [英] Use window.open but block use of window.opener

问题描述

前一段时间，我遇到了有趣的安全漏洞

A while back I ran across an interesting security hole

<a href="http://someurl.here" target="_blank">Link</a>

看起来足够无害，但存在一个漏洞，因为默认情况下，正在打开的页面允许通过 window.opener 对其进行回调.跨域有一些限制，但是仍然有一些恶作剧可以做

Looks innocuous enough, but there's a hole because, by default, the page that's being opened is allowing the opened page to call back into it via window.opener. There are some restrictions, being cross-domain, but there's still some mischief that can be done

window.opener.location = 'http://gotcha.badstuff';

现在，HTML有一种解决方法

Now, HTML has a workaround

<a href="http://someurl.here" target="_blank" rel="noopener noreferrer">Link</a>

这可以防止新窗口传递 window.opener 到它.这对于HTML来说很好，而且很好，但是如果您使用的是 window.open ，该怎么办?

That prevents the new window from having window.opener passed to it. That's fine and good for HTML, but what if you're using window.open?

<button type="button" onclick="window.open('http://someurl.here', '_blank');">
    Click Me
</button>

您如何阻止在此处传递 window.opener 的使用?

How would you block the use of window.opener being passed here?

推荐答案

window.open()现在调用因此，调用 window.open('https://www.your.url','_blank','noopener') 应该打开新窗口/标签，其中的 window.opener 为空.

The window.open() call now supports the feature "noopener".
So calling window.open('https://www.your.url','_blank','noopener') should open the new window/tab with a null window.opener.

我在查找支持的浏览器(和版本)的可靠列表时遇到了麻烦-MDN指出

I'm having trouble finding a reliable list of supporting browsers (and versions) - MDN states here that

现代浏览器(包括Chrome和Firefox 52+)支持此功能.

This is supported in modern browsers including Chrome, and Firefox 52+.

从我的实验中，我发现它适用于:

From my experimentation, I see it works for:

• Chrome 61
• FireFox 56
• Safari 11.1(为此感谢 Jiayi Hu )

• Chrome 61
• FireFox 56
• Safari 11.1 (thanks Jiayi Hu for this)

但不适用于:

• IE 11.608
• 边缘 40

• IE 11.608
• Edge 40

(在运行Windows 10的PC上的所有测试...)

(All tests on a PC running Windows 10...)

为了向后兼容，最好将其与 t3__rry的答案结合.

For backwards compatibility it may be better to combine this with t3__rry's answer.

这篇关于使用window.open但阻止使用window.opener的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！