Chrome to block tab-nabbing attacks

Firefox and Safari are already blocking these types of web attacks

Chrome Logo

Image: Google // Composition: ZDNet

Google will deploy a new security feature in Chrome next year to prevent tab-nabbing, a type of web attack that allows newly opened tabs to hijack the original tab from where they were opened.

The new feature is scheduled to go live with Chrome 88, to be released in January 2021.

While the term "tab-nabbing" refers to a broad class of tab hijacking attacks [see OWASPWikipedia], Google is addressing a particular scenario.

This scenario refers to situations when users click on a link, and the link opens in a new tab (via the "target=_blank" attribute).

These new tabs have access to the original page that opened the new link. Via the JavaScript "window.opener" function, the newly opened tabs can modify the original page and redirect users to malicious sites.

tabnabbing-overview-with-link.png

Image: OWASP

This type of attack has powered quite a few phishing campaigns across the years. To mitigate this threat, browser makers like AppleGoogle, and Mozilla have created the rel="noopener" attribute.

For the past few years, security researchers and top web developers have constantly advocated that website owners add the rel="noopener" to all the links where they also used the "target=_blank" attribute as a way to block tab-nabbing attacks [12].

However, most of today's websites end up abandoned, or website owners don't have the time to keep up with the latest trends in web development and web security.

That is why, in 2018, both Apple and Mozilla moved to incorporate the rel="noopener" attribute and automatically add it to all newly opened tabs inside Safari and Firefox by default.

With Chrome 88, Google will be catching up with the two other major browser makers. Besides adding this feature in Chrome, the new tab-nabbing protection will also go be added to all the other Chromium-based browsers, such as Edge, Opera, Vivaldi, and Brave.