My Steve Jobs tribute page

carloshc.15 · December 13, 2017, 12:32am

this is my first html project, i hope you like it. https://codepen.io/Charlie15/full/baGMzO

Diego_Perez · December 13, 2017, 10:10pm

HTML:

Is better not use the style attribute:

<body style="padding-left: 80px; padding-right:80px;" class="text-responsive">

Because, you have multiple styles sources (That’s make the page more difficult to review.):

The CSS tab
Every element on the html with the style attribute

MDN documentation:
style - HTML: HyperText Markup Language | MDN

The style global attribute contains CSS styling declarations to be applied to the element. Note that it is recommended for styles to be defined in a separate file or files. This attribute and the <style> element have mainly the purpose of allowing for quick styling, for example for testing purposes.

---

The ‘align’ attribute is no longer valid on the <div> element and should not be used.

 <div  style="background-color: #cda;" align="center">

MDN documentation:

<div>: The Content Division element - HTML: HyperText Markup Language | MDN

Attributes

The align attribute is obsolete; do not use it anymore.

----

Target blank vulnerability

<a href="https://en.wikipedia.org/wiki/Steve_Jobs" target="_blank">click here</a>

MDN documentation:

<a>: The Anchor element - HTML: HyperText Markup Language | MDN

Note: When using target, consider adding rel=“noopener noreferrer”
to avoid exploitation of the window.opener API.

About rel=noopener

TL;DR If window.opener is set, a page can trigger a navigation in the opener regardless of security origin.

Target="_blank" - the most underestimated vulnerability ever

People using target=‘_blank’ links usually have no idea about this curious fact:
The page we’re linking to gains partial access to the linking page via the window.opener object.
The newly opened tab can, say, change the window.opener.location to some phishing page. Or execute some JavaScript on the opener-page on your behalf… Users trust the page that is already opened, they won’t get suspicious.

How to fix
Add this to your outgoing links.

rel="noopener"

Update: FF does not support “noopener” so add this.

rel="noopener noreferrer"

Remember, that every time you open a new window via window.open(); you’re also “vulnerable” to this, so always reset the “opener” property

var newWnd = window.open();
newWnd.opener = null;

Cheers and happy coding

carloshc.15 · December 14, 2017, 5:43am

thank you for the feedback, i have no idea how to use _blank, there’s a lot of work to do

gururajankappa · March 4, 2021, 9:10am

There’s nothing confusing about it.
It just means open the link in a new tab.
For a link you just set target to _blank
Like this :-
target=‘_blank’