Product Guide
Sign inTry Now
Start typing to search…

What does 'Unsafe Cross Origin' mean in Site Audit?

Unsafe Cross Origin

Description

Your page contains links to external sites with target='_blank' but without rel='noopener' or rel='noreferrer'. When you use target='_blank' on links without rel='noopener' or rel='noreferrer', the new page can access your window object via window.opener. This creates a security vulnerability where the linked page could redirect your page to a phishing site.

How to Fix

Add rel='noopener noreferrer' to all external links that use target='_blank'. For example: Link

Detailed Analysis

  1. What Causes This Issue:

    • The issue of "Unsafe Cross Origin" arises when a webpage contains links that open in new tabs or windows using the target='_blank' attribute. If such links are not accompanied by the rel='noopener' or rel='noreferrer' attributes, they create a security vulnerability. This is because the newly opened page can access the originating window’s window.opener property, potentially allowing the new page to manipulate the original page. This could be exploited by malicious sites, leading to security risks such as redirecting the original page to a phishing site.

  2. Why It's Important:

    • Security Risks: Allowing a new page to access the window.opener object of the originating page exposes it to potential security threats. The new page can execute scripts that alter the original page's content, redirect it to malicious sites, or execute phishing attacks.
    • User Trust: Maintaining user trust is crucial for any website. If users are redirected to suspicious sites, it can harm the website's reputation and user trust.
    • SEO Implications: While this specific issue may not directly impact SEO rankings, it can influence user experience, which is a critical factor in SEO. Poor user experience can lead to higher bounce rates and lower engagement, indirectly affecting SEO performance.

  3. Best Practices to Prevent It:

    • Use rel='noopener': Adding rel='noopener' to your links with target='_blank' prevents the new page from accessing the window.opener property, thus mitigating the security risk.
    • Use rel='noreferrer': This attribute also prevents access to window.opener and additionally does not send the HTTP referer header to the new tab, adding another layer of privacy.
    • Regular Security Audits: Conduct regular audits of your website to ensure all external links are secure and that no new vulnerabilities have been introduced.
    • Educate Content Creators: Ensure that anyone who can add content to the site understands the importance of using these attributes with external links.

  4. Examples of Good and Bad Cases:

    Bad Case:

    <a href="https://external-site.com" target="_blank">Visit External Site</a>
    • This example lacks the rel='noopener' or rel='noreferrer' attributes, making it susceptible to exploitation through the window.opener property.

    Good Case:

    <a href="https://external-site.com" target="_blank" rel="noopener">Visit External Site</a>
    • In this example, the rel='noopener' attribute is used, preventing the new page from accessing the window.opener property.

    Another Good Case:

    <a href="https://external-site.com" target="_blank" rel="noreferrer">Visit External Site</a>
    • Here, the rel='noreferrer' attribute is used, providing both security by blocking window.opener and privacy by not sending the HTTP referer header.

By implementing these best practices, you can safeguard your website from potential cross-origin security vulnerabilities while maintaining a positive user experience.

Updated about 5 hours ago