Make sure window.opener is null when opening tabs for users' links

Thanks to Hamid Ashraf (/u/hamihax) for the report! A lot of user-agents allow windows and tabs to navigate their openers through `window.opener.location`. This creates a potential phishing risk where a victim with the "open links in a new window" pref clicks a link submitted by an attacker. The attacker's page may then navigate the reddit page that opened it. When the user closes the tab with the attacker's submitted content, they'll be greeted with an attacker controlled page, and they would be less likely to notice since the tab previously contained a page served by reddit. IMO this is really a flaw in same-origin policy, but the behaviour is present in a number of browsers.
2026-04-27 03:00:12 -04:00 · 2014-12-16 21:31:50 -04:00
parent ee2ae1ed3a
commit 75f2413577
1 changed files with 10 additions and 3 deletions
--- a/r2/r2/public/static/js/ui.js
+++ b/r2/r2/public/static/js/ui.js
@@ -33,11 +33,18 @@ r.ui.init = function() {
    /* Open links in new tabs if they have the preference set or are logged out
     * and on a "large" screen. */
    if (r.config.new_window && (r.config.logged || !smallScreen)) {
-        $(document.body).on('click', 'a.may-blank, .may-blank-within a', function() {
+        $(document.body).on('click', 'a.may-blank, .may-blank-within a', function(e) {
            if (!this.target) {
-                this.target = '_blank'
+                // nullify `window.opener` so the new tab can't navigate us
+                var href = $(this).attr('href');
+                var w = window.open(null, '_blank');
+                w.opener = null;
+                w.location.href = href;
+                // suppress normal link opening behaviour
+                e.preventDefault();
+                return false;
            }
-            return true // continue bubbling
+            return true; // continue bubbling
        })
    }