Prevent reverse tabnapping in window.open

reitzmichnicht · May 10, 2021, 8:23am

Hi

There is the rule Web:S5148 for HTML to set noopener attribute on links.
But I could not find a rule for javascript that does the same check for window.open() calls.
Have a look at
Reverse Tabnabbing Software Attack | OWASP Foundation and HTML5 Security - OWASP Cheat Sheet Series which recommend to use the correct flags on the window.open call.

Kind regards,
Michael

eric.therond · May 11, 2021, 6:58am

Hello @reitzmichnicht
thanks for this idea, indeed it will be a nice addition to the rule s5148
we created a ticket to support that sonarjs-2621

Eric

reitzmichnicht · May 11, 2021, 8:08am

Thanks a lot, hopefully this will make it in the next updates.

Topic		Replies	Views
Web:S5148 could be extended to allow some dynamic URLs Report False-positive / False-negative... html , razor	3	537	July 6, 2023
Web:S5148 is triggered with "noreferrer" but no "noopener" Report False-positive / False-negative...	2	690	March 13, 2023
Rel noopener issue on window.open Report False-positive / False-negative... javascript , html	7	348	October 4, 2024
Disallow an <a> tag with JavaScript protocol in href New rules / language support javascript , html , jsp	1	2377	May 17, 2024
Update Links with "target=_blank" are security-sensitive New rules / language support	0	1311	April 30, 2021