Introduced in r41333, $wgExternalLinkTarget allows MediaWiki operators to set the target attribute on external links. The documented use-case is to set $wgExternalLinkTarget = '_blank';, so links open in a new window or tab:
/** * Set a default target for external links, e.g. _blank to pop up a new window */ $wgExternalLinkTarget = false;
The problem is that when you click on a target="_blank" link, JavaScript code on the destination page has full control of the window object of the source page, via window.opener. In the event the page is cross-origin, the new window is allowed to set window.opener.location to a new value.
window.opener.document is protected by CORS, but window.opener.location is not, allowing the target page to surreptitiously redirect the tab that opened it to a phishing page.
There is a good explanation of this issue, with working examples, at https://mathiasbynens.github.io/rel-noopener/
This is a good reason never to use target="_blank" with user-generated links.
Should we prevent users from shooting themselves in the foot by deprecating and refusing to honor $wgExternalLinkTarget when it is set to "_blank"? (This article suggests most people who think they want to use _blank shouldn't.)
At minimum, I think we should:
- Update the comment to make it clear that this is risky.
- Emit a warning when the configured value is unsafe.
see also: