Oxygen WebHelp support for mitigating tabnabbing security threat

Post here questions and problems related to editing and publishing DITA content.
ann.jensen
Posts: 297
Joined: Wed Jun 17, 2015 10:19 am

Oxygen WebHelp support for mitigating tabnabbing security threat

Post by ann.jensen »

Hi,
Will Oxygen WebHelp be updated or has it been updated to mitigate against the security threat described in
https://cheatsheetseries.owasp.org/chea ... tabnabbing?
Thanks in advance,
Ann
beniamin_savu
Posts: 32
Joined: Fri Jan 22, 2021 11:05 am

Re: Oxygen WebHelp support for mitigating tabnabbing security threat

Post by beniamin_savu »

Hi,

Oxygen WebHelp does have support for mitigating tabnabbing. Firstly we do no use window.open in our JavaScript code to open pages in a new tab. Further, for external links, we try to include the "noopener" value in the @rel attribute, provided you are using an <xref> or <topicref> element with the @scope attribute set to "external". For example:

Code: Select all

<xref href="https://google.com" format="html" scope="external">Content</xref>
We recognize the importance of security in today's digital environment, so please do notify us immediately if you encounter any security issues within the WebHelp Responsive output. Your feedback is invaluable as we continue to enhance our software's security features.

Also, it is worth noting, as per the Open Web Application Security Project (OWASP), most modern browsers are expected to have built-in support for adding @rel="noopener" on links directed to open in a new tab (@target="_blank"). More details can be found here: https://owasp.org/www-community/attacks ... Tabnabbing

Best regards,
Beniamin Savu
Oxygen WebHelp Team
http://www.oxygenxml.com
ann.jensen
Posts: 297
Joined: Wed Jun 17, 2015 10:19 am

Re: Oxygen WebHelp support for mitigating tabnabbing security threat

Post by ann.jensen »

That's very informative, thank you Beniamin
Regards,
Ann
Post Reply