TIL that target=”_blank” is bad. Who knew? (Hackers.)


We all love the target=”_blank” code, which makes links open in a new window. The problem is that once the new window (window.opener) is opened, the new page can have access to the original window, allowing a spoofed URL or redirect.

Scary, right? Someone can post a link on your forum or in the comments of your blog and go to town. In the meantime, be careful of your clicks.

Try the example here to see it in action: http://lcamtuf.coredump.cx/switch/ or here https://mathiasbynens.github.io/rel-noopener