Google Chrome to mitigate “tab-napping” by blocking redirects in new tabs or windows

Google Chrome to mitigate “tab-napping” by blocking redirects in new tabs or windows

You may have observed one of two behaviors when clicking on links on any website — the link either opens up in the same tab, or it opens up in a new tab/window. Website authors can control this behavior by adding the target=”_blank” attribute to URLs that they wish to open in a new tab. This attribute directs the browser to open the link in a new tab when clicked. But the attribute has a known security issue that lets newly opened pages utilize JavaScript to redirect you to a different URL. This poses a serious threat, as the redirected URL could possibly be a malware-laden website or a phishing page. To address this, Google Chrome is getting a new security measure.

As a recent report from BleepingComputer explains, website authors can already prevent new tabs from using JavaScript to redirect to a different URL by using the rel=”noopener” HTML link attribute. However, they have to manually add the attribute to every link with the target=”_blank” attribute. Back in 2018, Apple made a change in Safari that automatically implied the noopener attribute on HTML links that utilized target=”_blank”. Thanks to this, the browser automatically secured new tabs even if the author didn’t use the rel=”noopener” attribute. Last week, Microsoft Edge developer Eric Lawrence implemented the same feature in Chromium. This means that it will also be introduced in all Chromium-based browsers, like Microsoft Edge, Google Chrome, Brave, and more.

In a comment regarding the security measure, Lawrence stated:

“To mitigate “tab-napping” attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target_blank should behave as if |rel=”noopener”| is set. A page wishing to opt out of this behavior may set |rel=”opener”|.”

The new security measure is currently enabled in the Chrome Canary channel and it’s expected to make its way to the stable channel with Chrome 88 in January next year. As mentioned earlier, the feature will essentially imply the “noopener” attribute on HTML links that utilize target=”_blank” and prevent pages from using JavaScript to redirect to a new page, unless specified otherwise.

This new security measure comes just days after Google patched two zero-day vulnerabilities in Chrome. You can read more about these vulnerabilities by following this link.

About author

Pranob Mehrotra
Pranob Mehrotra

A Literature and Linguistics graduate with a keen interest in everything Android. When not writing about tech, Pranob spends most of his time either playing League of Legends or lurking on Reddit.