Self-synchronization of blog
Recently combing team when eslint, found such a configuration in airbnb
'react/jsx-no-target-blank': 2
Introduce official document of something like this
如果你需要用 a 标签打开一个标签页时,你会使用 target='_blank' 这个属性,此时你需要添加 rel='noreferrer noopener'
That people are confused, maybe attribute is doing it, google it just knows that it is in order to solve security problems.
When you use target='_blank'
when you open a new tab, the new page window
has a property on an object opener
, it points to the previous page of window
the object, therefore, after a page before it gained control of a page, so terrible! !
Such is the case of a label <a href='/index'>打开连接</a>
, open input in the console window.opener.alert(1)
to see?
Even he can take effect in the case of cross-domain, such as opening <a href='https://github.com/ZhangFe/Blog'>链接<a/>
later, you can use the window.opener.location.replace
url before changing a page.
So, in order to avoid this, we need our protagonist debut!
For example, you now become such a link <a href='/index' rel=noopener>链接<a/>
, you will find that after re-open window.opener
has been set to null, if some older browser, you can use rel=noreferrer
it not only disabled window.opener
after a page can not get to referrer
, and then not be use js to open a new page after the opener
set null
to complete this function
var otherWindow = window.open();
otherWindow.opener = null;
otherWindow.location = url;
Reference Document
HTTPS: //html.spec.whatwg.org / ...
HTTPS: //mathiasbynens.github ....