Using the latest version of Chrome on Mac OS 10.7.
I assume it is some clever javascript that is enabling the folks at this webpage:
/
...to close my (the parent) page which opened their (chairworks) page in the first place.
I did not open them with javascript, but with an <a> tag with the target="_blank" attribute.
If I disable javascript, then the behavior stops.
<a href="" target="_blank">www.chairworks</a>
I would expect the page at chairworks/ to simply open in another tab/window... but what I find is that as soon as the new browser tab opens, it closes, and then my page (the parent tab/window) gets redirected to the chairworks page.
Kinda rude.
Can someone point me to what code enables them to do that? And how do I prevent it? (Assuming I want a link to behave as expected, such as in my demo page.)
Using the latest version of Chrome on Mac OS 10.7.
I assume it is some clever javascript that is enabling the folks at this webpage:
http://www.chairworks./
...to close my (the parent) page which opened their (chairworks.) page in the first place.
I did not open them with javascript, but with an <a> tag with the target="_blank" attribute.
If I disable javascript, then the behavior stops.
<a href="http://www.chairworks." target="_blank">www.chairworks.</a>
I would expect the page at chairworks./ to simply open in another tab/window... but what I find is that as soon as the new browser tab opens, it closes, and then my page (the parent tab/window) gets redirected to the chairworks. page.
Kinda rude.
Can someone point me to what code enables them to do that? And how do I prevent it? (Assuming I want a link to behave as expected, such as in my demo page.)
Share Improve this question edited Aug 18, 2012 at 9:15 govinda asked Aug 18, 2012 at 6:35 govindagovinda 1,6935 gold badges20 silver badges34 bronze badges 2- I had no idea this behavior was possible. At first glance this seems like an awesome potential exploit. – Andy Ray Commented Aug 18, 2012 at 6:51
- 2 Normal behavior, by spec. But indeed, this is rude. Even the first time I've seen this in the wild (and boy do I surf the corners of the web..) Maybe they just wanted to escape being embedded in frames, but this is insane. I would actually notify management of this site. NOT the admin's/programmers. Explain to management that they are killing their own site. Then hope they'll fight it out with their coders. – GitaarLAB Commented Aug 18, 2012 at 6:56
3 Answers
Reset to default 6I believe the proper thing to do is set corresponding link type attribute so the browser doesn't provide the target window with and opener reference.
<a href="https://untrusted-site" target="_blank" rel="noreferrer noopener">Link</a>
You can read more about link types here: https://developer.mozilla/en-US/docs/Web/HTML/Link_types
This is the script they are using:
setTimeout('redirect_page()',0);
function redirect_page(){if (window.opener) { window.opener.location.href = '/home.html'; window.close(); } else { location.href = '/home.html'; }}
As to how to circumvent it (just an idea):
Create your own blank page, with it's source set to about:blank. When it loads (or after a time-out) you could write some code to that window that will then open the offending link.
Then the offending link just closes your buffer-page. F*ck 'm!! Power to the user!
Edit: looks like you could also name your page home.html hehe, but that is not such a workable solution..
Final Edit: SIMPLE LOGIC people...
<a href="http://www.chairworks./home.html" target="_blank">www.chairworks.</a>
works for everyone, no javascript needed.
See this working jsfiddle example.
As @GitaarLAB explained, the targeted website is using the window.opener property to get access to your page. Using some Javascript yourself, and an about:blank page in the middle, can help you cut their access to your page. It would be like:
<a href="http://www.chairworks./" target="_blank" onclick="var w = window.open('about:blank'); w.opener = null; w.open('http://www.chairworks./'); return false;">http://www.chairworks./</a>
Some notes:
- I'm leaving the
hrefproperty there for users without JS enabled (guess what! the targeted website won't have JS neither! ;), or the web crawlers like search engines' (only those who don't care about JS stuff, though) - Before redirecting to the targeted website, you cut the back-link by resetting the
window.openerattribute of the new window. - And after opening the targeted website, there's a
return false;to prevent the normal the browser to use thehrefandtargetattributes.