Now and then, when you click on a link on a website, the link will be opened in a new tab, but the old tab will also be redirected to some other phishing website where it asks you to login or starts downloading some malware to your device. In this blog post, I will explain how something like this is achieved, and how to easily prevent this from happening in your own websites. We see values like , and attached to attribute of tags. We usually see these values along with . Many of us do not know what each of the value means, and what happens when we set or do not set any of the values. In this blog post, I will explain what these values mean, and also explain what set of values to use for anchor tags in your website. noopener noreferrer nofollow rel anchor(<a>) target=_blank Before diving into the post, let's see what security implications will be there when you set on an anchor tag in your website. target="_blank" Google < = = > a href "https://google.com" target "_blank" </ > a When you create a hyperlink in the above way on your website with no attribute, clicking on it will open in a new tab. But there are some security risks in doing so. There is a property called, , which is set to the window of the opening tab, in this case, your website. rel google.com window.opener Let's see more of what I mean here in detail below. For example, let's say you have a link in with the target set to , but no attribute, then property in the opened tab(new tab) is automatically set to the window of the opening tab( tab). Hackernoon _blank rel window.opener Hackernoon Phishing attacks are often carried out in this way. Since the new tab has now access to the window of the previous tab, the new tab can set the location of the old tab using , and a login page can be shown in that fake site saying " ". Then if the user doesn't check that the domain name has changed and enters the login credentials, the attacker will now have access to the user's login details to site. The fake site may also make you download malware on to your device. . window.opener.location.href = 'link-of-some-fake-site-that-looks-almost-same-as-original-site' You have been logged out, please reenter your login credentials to login Hackernoon See the code in the below section if you do not yet understand properly what I mean This popular attack that a lot of websites are victim to is called . Reverse Tabnabbing So, what is the solution to this? The solution is very simple. You just have to set the attribute of your tag to whenever there is set. What this means is simple, when you click on the link, it opens the page in a new tab, and also value in the new tab is set to . Now, the new link has no access to the tab that this new link is opened from. rel anchor noopener target="_blank" window.opener null Let's see in detail what each of the values mean and also see what values you should use in your website. noopener When you set this value along with , you are instructing the browser to open the link in a new tab, but do not give access to the page that opened it( in new tab). target=_blank window.opener = null I don't see any use-case where you would ever want to give access to the of your website to some other external website. So it is always best to have value in the attribute of your anchor tag, whenever you set the to . window noopener rel target _blank Some External Website  < = = > a href "some-external-link" target "_blank" </ > a  < > script .opener.location.href = // "window.opener" will be set to the "window" of your website. So the external website can do something like the following window 'link-to-some-phising-website-that-looks-almost-same-as-your-own-website' </ > script To prevent the above attack, you just have to add to your link. rel=noopener Some External Website < = = = > a href "some-external-link" rel "noopener" target "_blank" </ > a  < > script .opener.location.href = // "window.opener" will be set to the "null" in this case. So if the external website does something like the following window 'link-to-some-phising-website-that-looks-almost-same-as-your-own-website' // This throws TypeError since "window.opener" is "null" </ > script noreferrer is very much similar to its function as . This also prevents the newly opened site to manipulate the window of the opening tab. ( will be set to ). The extra thing that will have in addition to is that it will hide the referrer information when the link is clicked. For example, if you have a link to your website with and , then when the user clicks on that link, they will be taken to your website, but your website will not have access to where the users coming from. Your analytics software like will consider these users as direct traffic and not as a referral. noreferrer noopener window.opener null noreferrer noopener noreferrer target="_blank" Google Analytics Based on this explanation, I hope you have a clear idea of what means and when to use it and when not to use it. If you don't want to pass on any referrer information to the external links, then consider using value, otherwise do not use it. noreferrer noreferrer You will often see the anchor tags with both . Since also does what is doing, why to have along with . This is mainly to support old browsers. Some of the old browsers do not support value, so whenever you want to use , you also see people using value along with it. noopener noreferrer noreferrer noopener noopener noreferrer noopener noopener noreferrer Some External Website  < = = = > a href "some-external-link" rel "noopener noreferrer" target "_blank" </ > a nofollow To have good SEO on your website, it is crucial to have backlinks to your website. All links are not equal in value. Some will be valued more than others. Search engines use something called algorithm to determine the value of a link or website. When you link another website from your website, you are endorsing that other page, so the value of the other page will be increased in proportion to what value your website has. Similarly, the value of your website is determined by the backlinks that are pointed to your website, and again all the values of all the backlinks are not the same. I will talk more about Google's Page Ranking algorithm, and in detail in some other blog post. Let's just get back to what setting value to your link means. Page Ranking rel=nofollow When you set to a link in your website, you are telling Google that you are not endorsing the link and also telling it not to pass the page rank value of your website to it. nofollow You will typically use when linking to internal pages or when you are linking to a less valuable site from your more valuable site. nofollow Google recently introduced some other values like , etc, which are out of scope for this blog post. rel=sponsored rel=ugc Some External Website  < = = = > a href "some-external-link" rel "nofollow" target "_blank" </ > a Note: You can even set all the three values to attribute. rel Some External < = = = > a href "some-external-link" rel "noopener noreferrer nofollow" target "_blank" Conclusion You can(and probably should) use on all links that have . rel="noopener" target="_blank" does the same thing as especially in older browsers which do not support . In addition to it, setting will affect analytics of the external website. rel="noreferrer" noopener noopener rel="noreferrer" You should use when you don't want to endorse links on your websites. This affects the SEO of the external website. rel="nofollow" Links and References: Reverse Tabnabbing Attack HTML Spec Explained: noopener, noreferrer, and nofollow Values Other Articles that you may like: Why you should start using HSL color format Create Your Own Super Simple URL Shortener My Review of Kent C. Dodds's EpicReact.Dev Series Previously published at https://blog.bhanuteja.dev/noopener-noreferrer-and-nofollow-when-to-use-them-how-can-these-prevent-phishing-attacks

Google

Super

Target

Follow me on Twitter @pbteja1998

Read My Stories

Too Long; Didn't Read

Build an AI-based text classifier with Tensorflow & NoSQL

Prevent Reverse Tabnabbing Attacks With Proper noopener, noreferrer, and nofollow Attribution

Too Long; Didn't Read

Companies Mentioned

@pbteja1998

RELATED STORIES