The security risk that is the humble link in your webpages

Submitted by Robert MacLean on Fri, 08/17/2018 - 09:00
tl;dr: When adding the `target` attribute to an `a` element which takes you to a property you do not own, you _must_ add `rel="noopener noreferrer"`. # Info When you open a link using `target`, for example in a new tab (`target="_blank"`), the browser may, not done universally but Firefox & Chrome both do it, set the `window.opener` of the new tab to be the original window. This means that the new tab can access some of the info from the original window/tab. If it is on the same domain then that is a lot, including cookies and content. If it is on a different domain then [same origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) will protect that information, though some things are still available. # Attack Vectors These attack vectors are very targeted and don’t represent a major risk IMHO but at the same time, the cost of doing this is less than the risk so it is a recommendation from me. ## Same Domain It is not uncommon for a single domain to have pieces built by multiple teams, especially as web components get better adoption so a vulnerability in any team contributing to the content now has the potential to impact all teams. For example: https://badsite.com/login.html is built by teamA and has a simple login to the backend. https://badsite.com/products.html is built by teamB and is a public site listing products. If the login had a link to products which opened in a new tab then all JS in products can manipulate the login page, for example by silently injecting code which sends the login details to the attacker. This example is also a good reason to embrace [sub-resource integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), especially if you are using a CDN for JS, CSS etc... It is also possible to use [document.domain](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain) to get increased access to super domains; though things like cookies are still not accessible since the change will have been detected. ## Different Domain In this scenario, the data is really locked down though there are two possible attack vectors here. ### Location Changes The location of the parent window/tab can be changed. This could allow an attacker to redirect the original window/tab to a page which has a vulnerability in it or in a targeted attack, it could open to a page that looks the same. For example: You open a link from your bank's website to a 3rd party. That 3rd party has a piece of JS (either intentional or unintentional, for example, a compromised CDN resource) which checks the location and sees it is your bank and changes it to a phishing site. You go back to the tab, expecting it to be your bank and log in and have compromised your credentials. ### Postmessage [postmessage](window.postMessage) is an API which allows pages to communicate with each other, even across different domains. If `postmessage` has been used on the parent and contains a vulnerability that could allow a new page to gain additional privileges. # Solution Add `rel="noopener noreferrer"` to your links to prevent `window.opener` from being set unless you *trust* the property you are linking to.

Learning Kotlin: Invoke

Submitted by Robert MacLean on Thu, 08/16/2018 - 09:00
**More Information** * This is the 21st post in a multipart series. If you want to read more, see our [series index](/learning-kotlin-introduction) Today we tackle a weird operator, `invoke` which lets an instance of a class have a default function - which I am not sure I've ever seen any language do. So let us frame this with a simple example, we have a config class which returns the configuarion for something: class Config {     fun get():String {         // do stuff         return "stuff"     } }   fun main(args: Array<String>) {     val config = Config()     println(config.get()) } Now, in our world maybe `get` is the primary use, so we can actually make it that the _instance_ config (line 9) can be called to get it: class Config {     operator fun invoke(): String {         return this.get();     }       private fun get():String {         // do stuff         return "stuff"     } }   fun main(args: Array<String>) {     val config = Config()     println(config()) } Note that we add a new operator (line 2), and that calls the private get; it didn't need to be private but I thought let us have this be cleaner, and now on line 14 we can just call the instance itself. Now, you may be thinking... nice but so what saving a few keystrokes isn't too awesome. Well, invoke can return anything, including itself which opens up something crazy. class Config {     var count = 0;     operator fun invoke(): Config {         count++         return this     } }   fun main(args: Array<String>) {     val config = Config()     config()()()()()()()()()()     println("config was called ${config.count} times") } This will print out `config was called 10 times`. That is getting more interesting, so let us ramp up another level and pass parameters to `invoke`: class Config {     var word = ""     operator fun invoke(s: String): Config {         word += s         return this     } }   fun main(args: Array<String>) {     val config = Config()     config("R")("o")("b")("e")("r")("t")     println(config.word) } While I do not know yet where I would use this myself, I do use invoke all the time... since it is what makes lambdas possible in Kotlin as when we create a lambda we get an object which is invoked with well... invoke.

Learning Kotlin: The For Loop

Submitted by Robert MacLean on Wed, 08/15/2018 - 09:00
**More Information** * This is the 20th post in a multipart series. If you want to read more, see our [series index](/learning-kotlin-introduction) Kotlin has two loops, `while` and `for`. When I started I was like, "yup, I know those..." - except I didn't. `while` works the way I expected it would but `for` it is something else. First Kotlin does not have a traditional `for` loop, eg `for (var i =0;i< max; i++)`... the `for` loop in Kotlin is closer to the iterator `foreach` loop in C#. ## Basic Let's start with the basics, how do I run a loop, say 10 times where we print out `0, 1, 2, 3, 4, 5, 6, 7, 8, 9`: fun main(args:Array<String>) {     for(i in 0..9) {         println(i)     } } In this, we use a [ClosedRange](https://kotlinlang.org/api/latest/jvm/stdlib/kotlin.ranges/-closed-range/index.html) (0..9) to state the start and end of the loop. This would be the same as `for (var i=0; i< 10; i++)`. Now, normally we want to loop over an array of items, so we can do this in two ways. First the equivalent of the C# for iterator/JS `for of`: fun main(args:Array<String>) {     val a = arrayOf("The","Quick","Brown","Fox")     for(i in a) {         println(i)     } } and if we do the older style of using a normal `for` loop and using the index we have: fun main(args:Array<String>) {     val a = arrayOf("The","Quick","Brown","Fox")     for(i in 0 until a.size) {         val value = a[i]         println(value)     } } What is awesome in the above is the Range, rather than having the _inclusive_ lower and _inclusive_ upper bounds of the `..` range we using the keyword `until` which gives us an _exclusive_ upper bound. Kotlin is all about helpers, and last time we looked at [destructuring](/learning-kotlin-destructuring) so it shouldn't be a surprise we can use that to have BOTH the index and the value in the `for` loop. fun main(args:Array<String>) {     val a = arrayOf("The","Quick","Brown","Fox")     for((i, value) in a.withIndex()) {         println("$i is $value")     } } ## Extras The `for` loop has two additional options worth knowing; the first is `downTo` which loops from largest to smallest. This example which print `4321`): for (i in 4 downTo 1) print(i) The second is `step` which allows you to control how many steps to take when moving to the next item, for this example we will get `42`: for (i in 4 downTo 1 step 2) print(i) ## Operator Adding support for this to our own classes is trivial, we merely need to add the interface `Iterator` to our class. This adds two methods, ` fun next():T` which should return the next value in the collection and `fun hasNext():Boolean` which should return true if there is another value available. Let us look at doing this with a class of prime numbers but for our example, we will add one condition since there are infinite primes we will have a top bound so it eventually ends - this is stored in the `maxToHunt` variable. In the code our `next` function not only returns the next value, it calculates the NEXT NEXT value too which lets us set if there are more primes left if `next` is called again. class PrimeNumbers : Iterator<Int> {     var currentPrime = 1;     val maxToHunt = 100;     var morePrimesToFind = true;       override fun next():Int {         val result = this.currentPrime;           this.currentPrime += 1;         while(this.currentPrime < this.maxToHunt) {             var primeFound = true             for(divisor in this.currentPrime-1 downTo 2) {                   if (this.currentPrime % divisor == 0) {                     this.currentPrime += 1                     primeFound = false                     break                 }             }               if (primeFound) {                 break             }         }           this.morePrimesToFind = this.currentPrime < this.maxToHunt         return result     }       override fun hasNext() = this.morePrimesToFind }   fun main(args:Array<String>) {     for (i in PrimeNumbers()) {         println("$i is prime")     } }

Learning Kotlin: Destructuring

Submitted by Robert MacLean on Tue, 08/14/2018 - 09:00
**More Information** * This is the 19th post in a multipart series. If you want to read more, see our [series index](/learning-kotlin-introduction) Learning a new language seems is an experience you do to 1. change jobs 1. cause your boss made you do it 1. cause you are a nerd The thing I forget each time I learn a new language is that the act of learning a new language helps me be a better software developer in my own primary language (the secret fourth option). Going through Kotlin has been a similar experience, and nothing jumped out more than object destructuring. The simple use for object destructuring is to be able, in a single line and assign multiple variables from an object. Let's look at this example: data class Person(val firstName: String, val surname: String, val age: Int)   fun name(person: Person) {     println("Hi ${person.firstName}") }   fun name2(person: Person) {     println("Hi ${person.firstName} ${person.surname}") }   fun main(args:Array<String>) {     val frank = Person("Frank", "Miller", 61)     val alan = Person("Alan", "Moore", 64)       name(frank)     name2(frank)     name(alan)     name2(alan) } In each of the `name` and `name2` I am working with the `Person` object but all I want are the names. I never care about the age of the people. We could add a function now, which pulls out just the strings we want and modify everything else to work with JUST the data it needs, data class Person(val firstName: String, val surname: String, val age: Int)   fun name(firstName: String) {     println("Hi $firstName") }   fun name2(firstName: String, surname: String) {     println("Hi $firstName $surname") }   fun print(person: Person) {     val (firstName, surname) = person     name(firstName)     name2(firstName, surname) }   fun main(args:Array<String>) {     val frank = Person("Frank", "Miller", 61)     val alan = Person("Alan", "Moore", 64)       print(frank)     print(alan) } Line 12 is the magic, that is the *Object Destructuring*. Rather than having two lines where we assign a variable to `firstName` and `surname` we can assign them both in one line so long as they are wrapped in parenthesis and match the names of the properties of the object. So, why is this useful for other languages? Cause in JavaScript you have the same thing! The only difference is `{` and `}` rather than parenthesis and since learning it in Kotlin I've found that I use it in my main more too.

VS Code Extension of the Day: Paste JSON as code

Submitted by Robert MacLean on Fri, 08/10/2018 - 09:00
**More Information** * This is the 8th post in a multipart series. If you want to read more, see our [series index](/vs-code-extension-day) You have some data in JSON. You want a class to work with it in your TypeScript, Python, Go, Ruby, C#, Java, Swift, Rust, Kotlin, C++, Flow, Objective-C, JavaScript, Elm code or you want JSON Schema. What do you do? You could do it by hand, or you get this extension which does it for you. And if you don’t use VSCode (why are you here), they also have [a website](https://app.quicktype.io) which can do this for you too. [Learn more and download it](https://marketplace.visualstudio.com/items?itemName=quicktype.quicktype)

VS Code Extension of the Day: Settings Sync

Submitted by Robert MacLean on Wed, 08/08/2018 - 09:00
**More Information** * This is the 7th post in a multipart series. If you want to read more, see our [series index](/vs-code-extension-day) Settings sync is _the first_ extension I always install as it allows me to restore my settings AND extensions. It uses GitHub gists to store the config, so you have a slightly annoying setup process initially but once done, each time you change a setting or extension it updates it to the gist. Then when you get a new install, it pulls down the settings and installs all the extensions you had and you can get everything setup really easily and quickly. [Learn more and download it](https://marketplace.visualstudio.com/items?itemName=Shan.code-settings-sync)

VS Code Extension of the Day: Editor Config

Submitted by Robert MacLean on Tue, 08/07/2018 - 09:00
**More Information** * This is the 6th post in a multipart series. If you want to read more, see our [series index](/vs-code-extension-day) If you work in a team where choice is important, you may find everyone has a different editor. Today our team uses VSCode, Atom & IntelliJ. Editor Config is a set of extensions for many editors which tries to unify things like tab vs. spaces, trailing spaces, empty lines at the end etc… Think of this as your editor linting as you go. Unfortunately, support is limited for what can be done, but a lot of editors and IDEs are supported. [Learn more and download it](https://marketplace.visualstudio.com/items?itemName=EditorConfig.EditorConfig)

VS Code Extension of the Day: Dracula Official

Submitted by Robert MacLean on Mon, 08/06/2018 - 09:00
**More Information** * This is the 5th post in a multipart series. If you want to read more, see our [series index](/vs-code-extension-day) So not an extension so much as a theme, Dracula is a great dark theme for Code. It is a little more playful in its colours too which is a plus but what makes it stand out is the [Dracula community](https://draculatheme.com/) There are tons of extensions to add Dracula to everything. I have my slack, terminal.app and IntelliJ all configured as well. It is really great to have the consistency everywhere. [Learn more and download it](https://marketplace.visualstudio.com/items?itemName=dracula-theme.theme-dracula)

VS Code Extension of the Day: Code Runner

Submitted by Robert MacLean on Fri, 08/03/2018 - 09:00
**More Information** * This is the 4th post in a multipart series. If you want to read more, see our [series index](/vs-code-extension-day) Code Runner is a lightweight code execution tool. I think of it as the middle ground between a REPL environment and actually running code normally. So you can execute a single file or even highlight specific lines and execute just them. It supports an amazing array of languages C, C++, Java, JavaScript, PHP, Python, Perl, Perl 6, Ruby, Go, Lua, Groovy, PowerShell, BAT/CMD, BASH/SH, F# Script, F# (.NET Core), C# Script, C# (.NET Core), VBScript, TypeScript, CoffeeScript, Scala, Swift, Julia, Crystal, OCaml Script, R, AppleScript, Elixir, Visual Basic .NET, Clojure, Haxe, Objective-C, Rust, Racket, AutoHotkey, AutoIt, Kotlin, Dart, Free Pascal, Haskell, Nim, D I personally use it all the time with JS & Kotlin. I haven’t needed to change any settings, though `code-runner.runInTerminal` sounds interesting. [Download it here](https://marketplace.visualstudio.com/items?itemName=formulahendry.code-runner)

VS Code Extension of the Day: Bracket Pair Colorizer

Submitted by Robert MacLean on Thu, 08/02/2018 - 09:00
**More Information** * This is the 3rd post in a multipart series. If you want to read more, see our [series index](/vs-code-extension-day) Initially, this extension allows your brackets, {} [] (), to be set to a unique colour per pair. This makes it really easy to spot when you are goofed up and removed a closing bracket. Behind the obvious is a lot of really awesome extras in it. You can have the brackets highlight when you click on them when you click on one the pair with `bracketPairColorizer.highlightActiveScope` and you can also add an icon to the gutter of the other pair `bracketPairColorizer.showBracketsInGutter` which makes it trivial to work our the size of the scope. It also adds a function `bracket-pair-colorizer.expandBracketSelection` which is unbound by default but will allow you to select the entire area in the current bracket selection. Do it again, and it will include the next scope. For example, you can select the entire function, then the entire class. [Learn more and download it](https://marketplace.visualstudio.com/items?itemName=CoenraadS.bracket-pair-colorizer)