default `rel=noopener` for link_to with target: '_blank' for avoiding tabnabbing attack

link with target=blank_ will cause some kind of phishing attack known as tabnabbing.

detail of this attacks are described below.

this is caused by window.opener of JavaScript API, and it will prevent by rel=noopener new API.

so I propose adding this attribute to link_to when it given target: "_blank".


link_to "External link", "http://www.rubyonrails.org/", target: "_blank"


<!-- before -->

<a href="http://www.rubyonrails.org/" target="_blank">External link</a>

<!-- after -->

<a href="http://www.rubyonrails.org/" target="_blank" rel="noopener">External link</a>

here is noopener spec.

https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener

currently implemented by chrome/opera.

http://caniuse.com/#search=noopener

noreferrer is considered altenative of noopener for older browser.

but this cause not to send referrer to server, so it’ll cause breakin change for some apps.

noopener is no side effect for apps, without using window.opener ofcourse.

I’m posting this for asking guys befor writing PR according to guideline.

thanks.

Jxck

+1, good default. Please do submit a PR.

thanks Jeremy.

now I working on patch here

https://github.com/Jxck/rails/tree/noopener

I’ll send PR when I’ve done soon.

thanks

Jxck

2016年6月16日木曜日 3時49分10秒 UTC+9 Jeremy Daer: