harden: add rel="noopener noreferrer" to external target="_blank" links#309
Conversation
5931936 to
072a518
Compare
Links opened with target="_blank" but no rel give the opened page window.opener access (reverse-tabnabbing) and leak a referrer. Add rel="noopener noreferrer" to every external target="_blank" link that lacked a rel (mechanical, no behavioral change). Notably covers the TonieboxCard link built from server-provided box IP. Fixes toniebox-reverse-engineering#308
072a518 to
d75f95e
Compare
|
The integration failed
Checking formatting... Please redo this and format it using prettier. @henryk86 I think the CI doesn't block the integration of the PR, if the formatting is wrong. |
|
Just „ npm run format“ should be necessary to fix it. |
Fixes #308
What
Adds
rel="noopener noreferrer"to every externaltarget="_blank"link that lacked arel— a consistent, mechanical sweep across ~23 files (49 lines).Why
Opening a link in a new tab without
rel="noopener"exposeswindow.openerto the opened page (reverse-tabnabbing) and leaks the referrer. Current browsers implynoopenerfortarget="_blank", so this is defense-in-depth/hygiene, but it's best practice and matters most for the one link constructed from server-provided data (TonieboxCardbox IP).Notes / scope
http://<boxIp>fetch inTonieboxCardis not touched — the box's CFW endpoint is HTTP-only, so that's inherent and out of scope here.npm run build(tsc && vite build) — passes.Targeted at
develop.