An update to the Chrome browser will soon introduce increased security when clicking on web page links. Normally, when a web developer inserts a link into a page, they can add the attribute target="_blank" to force the link to open in a new tab or window. It can be a convenient way to link their readers to external content without driving them away from their website, but it also provides an opportunity for threat actors to redirected Chrome users to potentially malicious URLs.
When clicked, the user’s traffic could be manipulated by hackers using JavaScript to bring them to a page that automatically downloads a malicious file to their computer or to a phishing site that imitates an official source in hopes that they will input their credentials. This is often-times referred to as “tab-napping” and can lead to some pretty serious consequences for those who aren’t sure what to look out for. The new update to Chrome will instead force target="_blank" to behave as rel="noopener" by default. Noopener is an attribute that was created several years ago and was implemented by Apple and Microsoft in their browsers to prevent users from secretly being taken advantage of. While Chrome web devs could hand-code this into their links all along, it’s never been automated on their behalf until now.
If you’re a regular Chrome user, this simply means that you will passively benefit from an important and welcome security enhancement that will be mostly invisible during your day to day browsing. The feature is already live in Chrome Canary, but everyone else will have to wait until Chrome 88 drops in January. Developers who wish to opt-out of using the automatic “noopener” can specify |rel="opener"| for their links instead.
