Google Chrome

Google Chrome is getting a new feature that increases security when clicking on web page links that open URLs in a new window or tab.

When inserting links into an HTML page, authors can include the target="_blank" attribute that tells the browser to open the link in a new tab when clicked.

HTML showing a _blank attribute
HTML showing a _blank attribute

However, this attribute has a known security issue that allows the newly opened page to utilize javascript to redirect the original page to a different URL. This redirected URL can be anything the threat actor wants, including phishing pages or pages that automatically download malicious files.

For example, suppose we link to another site in our article and use the target="_blank" attribute. In that case, the new page can use JavaScript to redirect our article to a phishing page asking for BleepingComputer credentials.

To prevent this from happening, a rel="noopener" HTML link attribute was created that prevents a new tab from using JavaScript to redirect the page.

Noopener attribute added to a link
Noopener attribute added to a _blank link

Making _blank attributes automatically use noopener

In 2018, to increase security, Apple made a change in Safari that treats all HTML links that utilize target="_blank" to also automatically imply the noopener attribute.  With this feature enabled, even if a web site does not use rel="nooopener" on their URLs, the browser will still secure them.

Last week, Microsoft Edge developer Eric Lawrence added this same feature to Chromium, which means it will also be brought to Microsoft Edge, Google Chrome, Brave, and other Chromium-based browsers.

"To mitigate "tab-napping" attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target _blank should behave as if |rel="noopener"| is set. A page wishing to opt out of this behavior may set |rel="opener"|," Lawrence stated in a commit to the Chromium browser.

Chrome bug report about noopener
Chrome bug report about noopener

This feature is currently enabled in Chrome Canary and is expected to be released with Chrome 88 in January 2021.

Related Articles:

Google fixes one more Chrome zero-day exploited at Pwn2Own

New Chrome feature aims to stop hackers from using stolen cookies

Google agrees to delete Chrome browsing data of 136 million users

Google fixes Chrome zero-days exploited at Pwn2Own 2024

Microsoft again bothers Chrome users with Bing popup ads in Windows