Iframe Sandboxing
The
sandbox=""
attribute should always be added to iframes with untrusted or third-party sources. The attribute enables different types of iframe content restrictions like script or form execution. <iframe height="0" src="https://www.googletagmanager.com/ns.html?id=GTM-PZ6TRJB" style="display:none;visibility:hidden" width="0"></iframe>
[https://www.google.com/chrome/]
Crossorigin
The
crossorigin="anonymous"
attribute should always be added to external ressources so no user credentials are transmitted. By loading external files with a GET request, http user credentials are exchanged by default. If the source host is corrupted, an attacker could these details for attacks. <script async="" nonce="Q-M6Lha1tTi7JuzepG5bbA" src="https://www.gstatic.com/external_hosted/autotrack/autotrack.js"></script>
[https://www.google.com/chrome/]<script async="" nonce="Q-M6Lha1tTi7JuzepG5bbA" src="https://www.googletagmanager.com/gtag/js?id=UA-26908291-4"></script>
[https://www.google.com/chrome/]<script nonce="Q-M6Lha1tTi7JuzepG5bbA" src="//www.gstatic.com/external_hosted/modernizr/modernizr.js"></script>
[https://www.google.com/chrome/]<script nonce="Q-M6Lha1tTi7JuzepG5bbA" src="//www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js"></script>
[https://www.google.com/chrome/]<script nonce="Q-M6Lha1tTi7JuzepG5bbA" src="//www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js"></script>
[https://www.google.com/chrome/]<link href="https://www.youtube.com" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://s.ytimg.com" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://www.googletagmanager.com" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://www.google-analytics.com" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://2542116.fls.doubleclick.net" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://static.doubleclick.net" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://googleads.g.doubleclick.net" rel="preconnect"></link>
[https://www.google.com/chrome/]
Integrity
The
integrity="sha256-..."
attribute should always be added to external file hosted on another domain, because an unexpected manipulation / corruption of the code can lead to session hijacking or similar script releated attacks. <script async="" nonce="Q-M6Lha1tTi7JuzepG5bbA" src="https://www.gstatic.com/external_hosted/autotrack/autotrack.js"></script>
[https://www.google.com/chrome/]<script async="" nonce="Q-M6Lha1tTi7JuzepG5bbA" src="https://www.googletagmanager.com/gtag/js?id=UA-26908291-4"></script>
[https://www.google.com/chrome/]<script nonce="Q-M6Lha1tTi7JuzepG5bbA" src="//www.gstatic.com/external_hosted/modernizr/modernizr.js"></script>
[https://www.google.com/chrome/]<script nonce="Q-M6Lha1tTi7JuzepG5bbA" src="//www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js"></script>
[https://www.google.com/chrome/]<script nonce="Q-M6Lha1tTi7JuzepG5bbA" src="//www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js"></script>
[https://www.google.com/chrome/]<link crossorigin="" href="https://fonts.gstatic.com" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://www.youtube.com" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://s.ytimg.com" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://www.googletagmanager.com" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://www.google-analytics.com" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://2542116.fls.doubleclick.net" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://static.doubleclick.net" rel="preconnect"></link>
[https://www.google.com/chrome/]<link href="https://googleads.g.doubleclick.net" rel="preconnect"></link>
[https://www.google.com/chrome/]<link crossorigin="" href="//fonts.googleapis.com/css?family=Google+Sans:400,500%7CRoboto:400,500%7C&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese&display=swap" rel="preconnect stylesheet"></link>
[https://www.google.com/chrome/]
Link Referrer
The
rel="noreferrer"
attribute should always be added to external links to prevent reverse tabnabbing for older browser, which do not support the rel="noopener"
attribute and to prevent phishing attacks. <a aria-label="Go to chrome enterprise" class="chr-link chr-link--external js-slider-link chr-slider__item-link chr-link--small" data-g-action="clicked" data-g-event="chrome-body-link" data-g-label="go-to-chrome-enterprise|chrome-homepage" ga-event-action="clicked" ga-event-category="content-cards" ga-event-label="go-to-chrome-enterprise|chrome-homepage" ga-on="click" href="https://chromeenterprise.google/" rel="noopener" target="_blank">Go to Chrome Enterprise <svg aria-hidden="true" class="chr-icon chr-icon--link"><use xlink:href="#arrow-external"></use></svg></a>
[https://www.google.com/chrome/]<a class=" chr-footer-social__link" data-g-action="clicked" data-g-event="chrome-footer-social" data-g-label="follow-us:youtube" ga-event-action="clicked" ga-event-category="chrome-footer-social" ga-event-label="follow-us:youtube" ga-on="click" href="https://www.youtube.com/user/googlechrome" rel="noopener nofollow" target="_blank" title="Youtube"> <svg class="chr-icon chr-icon--24"><title id="social-youtube-title">Youtube</title><use xlink:href="#social-youtube"></use><image alt="Youtube" class="svg-fallback" height="24" src="/chrome/static/images/fallback/icon-youtube.jpg" width="24" xlink:href=""></image></svg></a>
[https://www.google.com/chrome/]<a class=" chr-footer-social__link" data-g-action="clicked" data-g-event="chrome-footer-social" data-g-label="follow-us:twitter" ga-event-action="clicked" ga-event-category="chrome-footer-social" ga-event-label="follow-us:twitter" ga-on="click" href="https://twitter.com/googlechrome" rel="noopener nofollow" target="_blank" title="Twitter"> <svg class="chr-icon chr-icon--24"><title id="social-twitter-title">Twitter</title><use xlink:href="#social-twitter"></use><image alt="Twitter" class="svg-fallback" height="24" src="/chrome/static/images/fallback/icon-twitter.jpg" width="24" xlink:href=""></image></svg></a>
[https://www.google.com/chrome/]<a class=" chr-footer-social__link" data-g-action="clicked" data-g-event="chrome-footer-social" data-g-label="follow-us:facebook" ga-event-action="clicked" ga-event-category="chrome-footer-social" ga-event-label="follow-us:facebook" ga-on="click" href="https://www.facebook.com/googlechrome/" rel="noopener nofollow" target="_blank" title="Facebook"> <svg class="chr-icon chr-icon--24"><title id="social-facebook-title">Facebook</title><use xlink:href="#social-facebook"></use><image alt="Facebook" class="svg-fallback" height="24" src="/chrome/static/images/fallback/icon-fb.jpg" width="24" xlink:href=""></image></svg></a>
[https://www.google.com/chrome/]<a class="chr-link chr-link--external chr-footer__link chr-link--nav chr-copy" data-g-action="clicked" data-g-event="site_footer" data-g-label="enterprise-chrome-browser" ga-event-action="clicked" ga-event-category="site_footer" ga-event-label="enterprise-chrome-browser" ga-on="click" href="https://chromeenterprise.google/browser/download/" rel="noopener" target="_blank">Download Chrome <br></br>Browser <svg aria-hidden="true" class="chr-icon chr-icon--link"><use xlink:href="#arrow-external"></use></svg></a>
[https://www.google.com/chrome/]<a class="chr-link chr-link--external chr-footer__link chr-link--nav chr-copy" data-g-action="clicked" data-g-event="site_footer" data-g-label="g-suite" ga-event-action="clicked" ga-event-category="site_footer" ga-event-label="g-suite" ga-on="click" href="https://chromeenterprise.google/browser/" rel="noopener" target="_blank">Chrome Browser for <br></br>Enterprise <svg aria-hidden="true" class="chr-icon chr-icon--link"><use xlink:href="#arrow-external"></use></svg></a>
[https://www.google.com/chrome/]<a class="chr-link chr-link--external chr-footer__link chr-link--nav chr-copy" data-g-action="clicked" data-g-event="site_footer" data-g-label="enterprise-devices" ga-event-action="clicked" ga-event-category="site_footer" ga-event-label="enterprise-devices" ga-on="click" href="https://chromeenterprise.google/devices/" rel="noopener" target="_blank">Chrome Devices <svg aria-hidden="true" class="chr-icon chr-icon--link"><use xlink:href="#arrow-external"></use></svg></a>
[https://www.google.com/chrome/]<a class="chr-link chr-link--external chr-footer__link chr-link--nav chr-copy" data-g-action="clicked" data-g-event="site_footer" data-g-label="g-suite" ga-event-action="clicked" ga-event-category="site_footer" ga-event-label="g-suite" ga-on="click" href="https://chromeenterprise.google/os/" rel="noopener" target="_blank">Chrome OS <svg aria-hidden="true" class="chr-icon chr-icon--link"><use xlink:href="#arrow-external"></use></svg></a>
[https://www.google.com/chrome/]<a class="chr-link chr-link--external chr-footer__link chr-link--nav chr-copy" data-g-action="clicked" data-g-event="site_footer" data-g-label="chromium" ga-event-action="clicked" ga-event-category="site_footer" ga-event-label="chromium" ga-on="click" href="https://www.chromium.org/" rel="noopener" target="_blank">Chromium <svg aria-hidden="true" class="chr-icon chr-icon--link"><use xlink:href="#arrow-external"></use></svg></a>
[https://www.google.com/chrome/]<a class="chr-link chr-link--external chr-footer__link chr-link--nav chr-copy" data-g-action="clicked" data-g-event="site_footer" data-g-label="chrome-OS" ga-event-action="clicked" ga-event-category="site_footer" ga-event-label="chrome-OS" ga-on="click" href="https://www.chromium.org/chromium-os" rel="noopener" target="_blank">Chrome OS <svg aria-hidden="true" class="chr-icon chr-icon--link"><use xlink:href="#arrow-external"></use></svg></a>
[https://www.google.com/chrome/]<a class="chr-link chr-link--external chr-footer__link chr-link--nav chr-copy" data-g-action="clicked" data-g-event="site_footer" data-g-label="chrome-webstore" ga-event-action="clicked" ga-event-category="site_footer" ga-event-label="chrome-webstore" ga-on="click" href="https://developer.chrome.com/webstore/?hl=en" rel="noopener" target="_blank">Chrome Web Store <svg aria-hidden="true" class="chr-icon chr-icon--link"><use xlink:href="#arrow-external"></use></svg></a>
[https://www.google.com/chrome/]<a class="chr-link chr-link--external chr-footer__link chr-link--nav chr-copy" data-g-action="clicked" data-g-event="site_footer" data-g-label="chrome-experiments" ga-event-action="clicked" ga-event-category="site_footer" ga-event-label="chrome-experiments" ga-on="click" href="https://www.chromeexperiments.com/" rel="noopener" target="_blank">Chrome Experiments <svg aria-hidden="true" class="chr-icon chr-icon--link"><use xlink:href="#arrow-external"></use></svg></a>
[https://www.google.com/chrome/]<a class="chr-link chr-link--external chr-footer__link chr-link--nav chr-copy" data-g-action="clicked" data-g-event="site_footer" data-g-label="google-chrome-blog" ga-event-action="clicked" ga-event-category="site_footer" ga-event-label="google-chrome-blog" ga-on="click" href="https://blog.google/products/chrome/" rel="noopener" target="_blank">Google Chrome Blog <svg aria-hidden="true" class="chr-icon chr-icon--link"><use xlink:href="#arrow-external"></use></svg></a>
[https://www.google.com/chrome/]<a class=" chr-footer__link chr-link--nav" data-g-action="clicked" data-g-event="nav-subfooter" data-g-label="about" ga-event-action="clicked" ga-event-category="nav-subfooter" ga-event-label="about" ga-on="click" href="https://about.google/" rel="noopener" target="_blank">About Google</a>
[https://www.google.com/chrome/]<a class=" chr-footer__link chr-link--nav" data-g-action="clicked" data-g-event="nav-subfooter" data-g-label="products" ga-event-action="clicked" ga-event-category="nav-subfooter" ga-event-label="products" ga-on="click" href="https://about.google/products/" rel="noopener" target="_blank">Google Products</a>
[https://www.google.com/chrome/]<a href="https://chromium.googlesource.com/chromium/src/+/refs/heads/master/docs/linux/chromium_packages.md" id="js-linux-community" rel="noopener" target="_blank">here</a>
[https://www.google.com/chrome/]<a class=" chr-link" data-g-action="clicked" data-g-event="chrome-cta-button" data-g-label="other-platforms:ios" ga-event-action="clicked" ga-event-category="chrome-cta-button" ga-event-label="other-platforms:ios" ga-on="click" href="//itunes.apple.com/us/app/chrome/id535886823" id="js-other-ios" rel="noopener" target="_blank">iOS</a>
[https://www.google.com/chrome/]