Mr Postman's Lemmy
  • Communities
  • Create Post
  • heart
    Support Lemmy
  • search
    Search
  • Login
  • Sign Up
lemmydividebyzero@reddthat.com to Technology@lemmy.worldEnglish · 19 days ago

Please don't mess with links: (Maurycy's blog)

maurycyz.com

external-link
message-square
8
link
fedilink
40
external-link

Please don't mess with links: (Maurycy's blog)

maurycyz.com

lemmydividebyzero@reddthat.com to Technology@lemmy.worldEnglish · 19 days ago
message-square
8
link
fedilink
  • MonkderVierte@lemmy.zip
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    19 days ago

    <a target="\_blank">

    About that, you should add rel="noopener" (and maybe noreferer too) there, or the linked site could inject JS in yours, a security risk for your visitors.

    I have a little usercss that adds a warning picture (::after { content: "pic"; }) on _target without noopener and especially Github is bad there.

    • ChaosMonkey@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      19 days ago

      Can you share some reference? I don’t understand how some linked site could affect the site containing it.

      • MonkderVierte@lemmy.zip
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        19 days ago

        Stackoverflow, but here you go.

        I’ve made a userscript that puts a rel="noopener" on target=“_blank” links where missing, with no issues for about half a year usage. While noreferer breaks some payment processors and the like. Sadly, i lost it a few months ago, need to redo it sometime.

        • ChaosMonkey@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          19 days ago

          Thanks, really good to know.

          For quick reference, here is the first section from the MSDN docs:

          The noopener keyword for the rel attribute of the <a>, <area>, and <form> elements instructs the browser to navigate to the target resource without granting the new browsing context access to the document that opened it — by not setting the Window.opener property on the opened window (it returns null).

        • WhyJiffie@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          18 days ago

          the answers say these are not recommended anymore, because browsers changed their defaults a long time ago

          • MonkderVierte@lemmy.zip
            link
            fedilink
            English
            arrow-up
            2
            ·
            18 days ago

            I’ve looked into Firefox’ bugtracker and there it’s “solved” by not doing it because nobody else does it.

            • WhyJiffie@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              18 days ago

              they changed their mind in ff 72: https://hacks.mozilla.org/2020/07/firefox-79/

              also see:

              • https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/a
              • https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes/rel/noopener

Technology@lemmy.world

technology@lemmy.world

Subscribe from Remote Instance

Create a post
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@lemmy.world

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


  • @L4s@lemmy.world
  • @autotldr@lemmings.world
  • @PipedLinkBot@feddit.rocks
  • @wikibot@lemmy.world
Visibility: Public
globe

This community can be federated to other instances and be posted/commented in by their users.

  • 4.39K users / day
  • 9.96K users / week
  • 16.6K users / month
  • 17.9K users / 6 months
  • 1 local subscriber
  • 85.9K subscribers
  • 1.85K Posts
  • 43.9K Comments
  • Modlog
  • mods:
  • L3s@lemmy.world
  • enu@lemmy.world
  • Technopagan@lemmy.world
  • L4sBot@lemmy.worldB
  • L3s@hackingne.ws
  • BE: 0.19.19
  • Modlog
  • Instances
  • Docs
  • Code
  • join-lemmy.org