Hacker News new | comments | ask | show | jobs | submit login

Does this "work" for cross origin requests? If I plant a `target=_blank` in my website, user clicks it, goes to my second website, do I have control over the website the link came from? If not, I don't see the security issue. Of course you can XSS yourself, what have you.

To some extent.. Yes.

The attacker can replace the current page with his own phising page.

Of course, the hostname part of the url would change, but the user is unlikely to notice that.

Case in point: People still fall for things like `facebook.com.totallynotaphishingsite.com'

It's a huge difference between clicking on a random facebook.com.totallynotphishing.com link, and being on the legitimate facebook.com and having that tab automatically go to a phishing site while you're not looking.

Yes, it says so lower down the article.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact