It seems like there's an easy fix... infer 'rel=noopener' by default on every ht... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		wmil on May 5, 2016 \| parent \| context \| favorite \| on: Target=”_blank” is an underestimated vulnerability It seems like there's an easy fix... infer 'rel=noopener' by default on every https site that opens an http site. Or just don't allow http pages to redirect https pages. It would make scam pages much more expensive while still allowing most legitimate use. And it would be consistent with existing security policies.

cyphar on May 5, 2016 | [–]

Then the scammer can use let's encrypt. The solution should be that window.opener shouldn't work cross-domain.

gruez on May 5, 2016 | [–]

I wouldn't be surprised if there was legacy software that depended on this behavior. Restricting URL change to same-origin will work much better

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact