Skip to content

Commit

Permalink
Extended data for #143
Browse files Browse the repository at this point in the history
  • Loading branch information
cure53 committed Mar 2, 2015
1 parent 63ad02d commit 81e499c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion items.js
Original file line number Diff line number Diff line change
Expand Up @@ -5080,7 +5080,7 @@ return [
'de' : '',
'zh' : ''
},
'data' : '<a href="//evil.com" target="_blank" rel="noreferrer">CLICK</a> // window.opener will be null\r\n\r\n<map><area href="//evil.com" target="_blank" rel="noreferrer">CLICK</area></map> // window.opener will be null\r\n\r\n<svg><a xlink:href="//evil.com" rel="noreferrer">CLICK</a></svg> // window.opener still works\r\n<form action="//evil.com" rel="noreferrer"><input type="submit"></form>// window.opener still works\r\n\r\n<math href="//evil.com" rel="noreferrer">CLICKME</math>// window.opener still works',
'data' : '<a href="//evil.com" target="_blank" rel="noreferrer">CLICK</a> // window.opener will be null\r\n<map><area href="//evil.com" target="_blank" rel="noreferrer">CLICK</area></map> // window.opener will be null\r\n\r\n<svg><a xlink:href="//evil.com" rel="noreferrer">CLICK</a></svg> // window.opener still works\r\n<form action="//evil.com" rel="noreferrer"><input type="submit"></form>// window.opener still works\r\n<form id="test" rel="noreferrer"></form><button formtarget="_blank" formaction="//evil.com">CLICKME</button>\r\n<math href="//evil.com" rel="noreferrer">CLICKME</math>// window.opener still works',
'description' : {
'en' : 'In many situations, a developer might want to mitigate tab-nabbing attacks that are using window.opener and its writable location object. To do so, it is recommended to apply external links with a rel="noreferrer" attribute. Depending on how the external links are embedded, the protection might however fail - and window.opener might not be null but still be exposed. The problem here is, that rel attributes only work for <a> and <area>. Links and link-like navigation features can however be embedded in multiple other ways. Further note, that MSIE pretty much ignores the standard and doesn\'t destroy window.opener without further effort.',
'ja' : '',
Expand Down

0 comments on commit 81e499c

Please sign in to comment.