Oxygen WebHelp support for mitigating tabnabbing security threat
Post here questions and problems related to editing and publishing DITA content.
-
ann.jensen
- Posts: 316
- Joined: Wed Jun 17, 2015 10:19 am
Oxygen WebHelp support for mitigating tabnabbing security threat
Post by ann.jensen »
Hi,
Will Oxygen WebHelp be updated or has it been updated to mitigate against the security threat described in
https://cheatsheetseries.owasp.org/chea ... tabnabbing?
Thanks in advance,
Ann
Will Oxygen WebHelp be updated or has it been updated to mitigate against the security threat described in
https://cheatsheetseries.owasp.org/chea ... tabnabbing?
Thanks in advance,
Ann
-
beniamin_savu
- Posts: 38
- Joined: Fri Jan 22, 2021 11:05 am
Re: Oxygen WebHelp support for mitigating tabnabbing security threat
Post by beniamin_savu »
Hi,
Oxygen WebHelp does have support for mitigating tabnabbing. Firstly we do no use window.open in our JavaScript code to open pages in a new tab. Further, for external links, we try to include the "noopener" value in the @rel attribute, provided you are using an <xref> or <topicref> element with the @scope attribute set to "external". For example:
We recognize the importance of security in today's digital environment, so please do notify us immediately if you encounter any security issues within the WebHelp Responsive output. Your feedback is invaluable as we continue to enhance our software's security features.
Also, it is worth noting, as per the Open Web Application Security Project (OWASP), most modern browsers are expected to have built-in support for adding @rel="noopener" on links directed to open in a new tab (@target="_blank"). More details can be found here: https://owasp.org/www-community/attacks ... Tabnabbing
Best regards,
Beniamin Savu
Oxygen WebHelp Team
http://www.oxygenxml.com
Oxygen WebHelp does have support for mitigating tabnabbing. Firstly we do no use window.open in our JavaScript code to open pages in a new tab. Further, for external links, we try to include the "noopener" value in the @rel attribute, provided you are using an <xref> or <topicref> element with the @scope attribute set to "external". For example:
Code: Select all
<xref href="https://google.com" format="html" scope="external">Content</xref>Also, it is worth noting, as per the Open Web Application Security Project (OWASP), most modern browsers are expected to have built-in support for adding @rel="noopener" on links directed to open in a new tab (@target="_blank"). More details can be found here: https://owasp.org/www-community/attacks ... Tabnabbing
Best regards,
Beniamin Savu
Oxygen WebHelp Team
http://www.oxygenxml.com
-
ann.jensen
- Posts: 316
- Joined: Wed Jun 17, 2015 10:19 am
Re: Oxygen WebHelp support for mitigating tabnabbing security threat
Post by ann.jensen »
That's very informative, thank you Beniamin
Regards,
Ann
Regards,
Ann
Return to “DITA (Editing and Publishing DITA Content)”
Jump to
- Oxygen XML Editor/Author/Developer
- ↳ Feature Request
- ↳ Common Problems
- ↳ DITA (Editing and Publishing DITA Content)
- ↳ SDK-API, Frameworks - Document Types
- ↳ DocBook
- ↳ TEI
- ↳ XHTML
- ↳ Other Issues
- Oxygen XML Web Author
- ↳ Feature Request
- ↳ Common Problems
- Oxygen Content Fusion
- ↳ Feature Request
- ↳ Common Problems
- Oxygen JSON Editor
- ↳ Feature Request
- ↳ Common Problems
- Oxygen PDF Chemistry
- ↳ Feature Request
- ↳ Common Problems
- Oxygen Feedback
- ↳ Feature Request
- ↳ Common Problems
- Oxygen XML WebHelp
- ↳ Feature Request
- ↳ Common Problems
- XML
- ↳ General XML Questions
- ↳ XSLT and FOP
- ↳ XML Schemas
- ↳ XQuery
- NVDL
- ↳ General NVDL Issues
- ↳ oNVDL Related Issues
- XML Services Market
- ↳ Offer a Service