target attribute

Overview

The target attribute specifies where to display the linked URL as a name for the browsing context (a tab, window, or <iframe>). The following keywords have special meanings for where to load the URL:

_self - the current browsing context, by default.
_blank - usually a new tab, but users can configure browsers to open a new window instead.
_parent - the parent browsing context of the current one, if no parent, behaves as _self.
_top - the topmost browsing context (the "highest" context that’s an ancestor of the current one), if no ancestors, behaves as _self.

_blank

Using target=_blank allows the linked page to get partial access to the source page through the window.opener API. The newly opened tab can then change the window.opener.location to a phishing page or execute JavaScript on the opener page.

In newer browser versions (e.g. Firefox 79+) setting target="_blank" on <a> elements implicitly provides the same rel behavior as setting rel="noopener".

References

Target="_blank" — the most underestimated vulnerability ever

Previousmeta NextHTTP Header Security

Last updated 2 years ago