|
|
|
|
|
|
by illuna
3715 days ago
|
|
|
It's a bit confusing if you didn't pay close attention to the article, because neither link actually show the `rel=noopener` fix. Instead, the two links present two different angles to the same problem. The first link demonstrates the attack using a page within the same domain (reasonable), and the second demonstrates that it will continue to work even when the link points to a page ordinarily restricted by cross-origin policies (potentially surprising). If you manually add `rel=noopener` to either link, the attack won't work. Try it with DevTools. |
|
|