react-secure-link
Advanced tools
A TypeScript compatible, zero dependency React component to avoid security exploits when opening a link in a new tab.
A TypeScript compatible React component to avoid security exploits when opening a link in a new tab. react-secure-link is lightweight and has zero dependencies!
It's possible when opening a link to a webpage in a new tab that the webpage in the new tab can hijack the webpage in the original tab via the window.opener property. This is an easy, low-level exploit. Here is how it can occur:
A hacker knows they can leave links in comments on your webpage and that they will open in a new tab. When a user to your website clicks that link, it will show them a seemingly harmless webpage. This newly opened tab has access to the window.opener property which the hacker can exploit. This webpage will use the window.opener property to run a little JavaScript like: window.opener.location = "https://www.some-malicious-website.com/login.html". This changes what webpage is opened in the original tab where the user clicked the link. This is problematic if the hacker redirects the original tab to a webpage that looks like the original. The hacker could show a message like, "You have been automatically logged out, log back in to continue." Since the webpage looks the same and the user knows they were just on the same webpage in that same tab, they'll trust the login form, but now their account has been compromised and they don't know it. The hacker could then redirect back to the original webpage after the login form is submitted to further cover their tracks.
window.opener Property?From MDN:
The Window interface's opener property returns a reference to the window that opened the window, either with open(), or by navigating a link with a target attribute.
react-secure-link Prevent this Exploit?Using react-secure-link for outbound links prevents the new tab from having access to the window.opener property altogether.
react-secure-link to your project via npm install react-secure-linkimport { SecureLink } from "react-secure-link";<SecureLink href="https://www.npmjs.com/package/react-secure-link">react-secure-link on NPM</SecureLink>There are several examples of the various ways to use this package on CodeSandbox.
react-secure-link CodeSandbox Examples
SecureLink can be used to make text, images, or other children components clickable. In addition, standard a element attributes can be pass in as props (i.e. href, className, id, role, style).
<SecureLink href="https://www.npmjs.com/package/react-secure-link" />
<SecureLink
href="https://www.npmjs.com/package/react-secure-link"
className="no-link-decoration"
style={{ color: "red" }}
key={123}
onClick={() => console.log("Clicked")}
>
react-secure-link on NPM
</SecureLink>
FAQs
A TypeScript compatible, zero dependency React component to avoid security exploits when opening a link in a new tab.
The npm package react-secure-link receives a total of 759 weekly downloads. As such, react-secure-link popularity was classified as not popular.
We found that react-secure-link demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
OpenAI rotated macOS signing certificates after a malicious Axios package reached its CI pipeline in a broader software supply chain attack.
Security News
Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.
Security News
Socket CEO Feross Aboukhadijeh breaks down how North Korea hijacked Axios and what it means for the future of software supply chain security.