Don't open user-supplied links with target="_blank"

The HTML spec was changed to prevent window.opener from accessing the parent page. This is implemented by all browsers except IE11.

This will give the target site full access to your Javascript environment through window.opener, if the target is on the same domain.

Even if the target site is on another domain, it still has some access and can for example manipulate window.location to perform a phishing attack.

You may use a rel="noopener" attribute to avoid this in modern browsers, except IE or Edge.

mathiasbynens.github.io
Henning Koch About 8 years ago
This website uses short-lived cookies to improve usability.
or learn more