There are several attacks possible when embedding links with target="_blank". This is where rel="noopener" and rel="noreferrer" should help.
I am expecting that clicking the following link
<a href="https://google.com" target="_blank" rel="noreferrer">Google</a>
results in a new browser tab, with a new HTML5 session storage.
This works fine with Firefox 65.0, but not with Chromium 71.0 and Chrome 72.0.
The problem is, that with Chrome/Chromium the same HTML5 session storage persists.
Exactly the same behaviour can be observed when using rel="noopener" or rel="noopener noreferrer".
The implementation state is listed at:
My questions are:
- Is this behaviour appropriate?
- Am I missing something?
- How can I achieve the desired behaviour?
Addendum (further observations):
When right-clicking on the link in Chrome/Chromium and clicking either "Open link in new window" or "Open link in new tab", then there will also be created a new session storage. The same applies when holding the ctrl key and clicking the link (= new tab) or holding the shift key and clicking the link (= new window).
Further reading:
- https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
- https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
- https://www.thesitewizard.com/html-tutorial/open-links-in-new-window-or-tab.shtml
- https://stackoverflow.com/questions/50709625/link-with-target-blank-and-rel-noopener-noreferrer-still-vulnerable
- https://mathiasbynens.github.io/rel-noopener/
- https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage
- https://www.w3schools.com/html/html5_webstorage.asp
