The brave public deploy, onwards to the glorious future! And remembering to play safely when opening new windows.
After six months or so mouldering on my hard drive, I remembered that:
- This site exists
- I own this domain name
- WTF Ali just put it up already.
So, let us all rejoice, I did it. And then, I caught this reminder on Twitter just as I was pushing this site live:
And oh, oops! I had indeed given those lovely Instagram photos in the footer of my page new window openings with
target=_blank, without doing the necessary cleansing of the opener reference. Without removing the new window’s knowledge of the original window, it would be easy to change the original window to something fraudulent and nefarious.
www.alihaberfield.evil-spy-twin.com, for example, which would look exactly like this but be made to steal your identity rather than showcase my tech opinions and photos of spiders.
I had something like this:
All I needed to do to fix it up was change it to something like this:
So there you go, closing one particularly glaring and obvious hole in this leaking privacy and security disaster we call the internet is as easy as throwing some extra junk into your markup, which is probably about as free & easy as it gets.