Skip to content

harden: add rel="noopener noreferrer" to external target="_blank" links#309

Merged
SciLor merged 1 commit into
toniebox-reverse-engineering:developfrom
aflores-qb:harden/external-link-noopener
Jun 7, 2026
Merged

harden: add rel="noopener noreferrer" to external target="_blank" links#309
SciLor merged 1 commit into
toniebox-reverse-engineering:developfrom
aflores-qb:harden/external-link-noopener

Conversation

@aflores-qb

Copy link
Copy Markdown

Fixes #308

What

Adds rel="noopener noreferrer" to every external target="_blank" link that lacked a rel — a consistent, mechanical sweep across ~23 files (49 lines).

Why

Opening a link in a new tab without rel="noopener" exposes window.opener to the opened page (reverse-tabnabbing) and leaks the referrer. Current browsers imply noopener for target="_blank", so this is defense-in-depth/hygiene, but it's best practice and matters most for the one link constructed from server-provided data (TonieboxCard box IP).

Notes / scope

  • No behavioral change; attribute-only.
  • The mixed-content http://<boxIp> fetch in TonieboxCard is not touched — the box's CFW endpoint is HTTP-only, so that's inherent and out of scope here.
  • Verified with npm run build (tsc && vite build) — passes.

Targeted at develop.

@aflores-qb aflores-qb force-pushed the harden/external-link-noopener branch from 5931936 to 072a518 Compare June 7, 2026 17:52
Links opened with target="_blank" but no rel give the opened page
window.opener access (reverse-tabnabbing) and leak a referrer. Add
rel="noopener noreferrer" to every external target="_blank" link that
lacked a rel (mechanical, no behavioral change). Notably covers the
TonieboxCard link built from server-provided box IP.

Fixes toniebox-reverse-engineering#308
@aflores-qb aflores-qb force-pushed the harden/external-link-noopener branch from 072a518 to d75f95e Compare June 7, 2026 17:52
@SciLor SciLor merged commit 0557740 into toniebox-reverse-engineering:develop Jun 7, 2026
@SciLor

SciLor commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

The integration failed

teddycloud-web@0.7.0 format:check
prettier . --check

Checking formatting...
[warn] src/components/common/footer/StyledFooter.tsx
[warn] src/components/community/CommunitySubNav.tsx
[warn] src/components/home/features/Features.tsx
[warn] src/components/home/home/Home.tsx
[warn] src/components/home/HomeSubNav.tsx
[warn] src/components/settings/SettingsSubNav.tsx
[warn] src/components/tonieboxes/boxsetup/cc3200/elements/InstallCC3200Tool.tsx
[warn] src/components/tonieboxes/boxsetup/cc3200/steps/Step0Preparations.tsx
[warn] src/components/tonieboxes/boxsetup/cc3200/steps/Step1Bootloader.tsx
[warn] src/components/tonieboxes/boxsetup/cc3200/steps/Step3Patches.tsx
[warn] src/components/tonieboxes/boxsetup/cc3200/steps/Step4ApplyingPatches.tsx
[warn] src/components/tonieboxes/boxsetup/cc3235/steps/Step0Preparations.tsx
[warn] src/components/tonieboxes/boxsetup/cc3235/steps/Step1Certificates.tsx
[warn] src/components/tonieboxes/boxsetup/common/elements/DnsForTeddyCloud.tsx
[warn] src/components/tonieboxes/boxsetup/common/modals/AvailableBoxesModal.tsx
[warn] src/components/tonieboxes/boxsetup/esp32/flashing/steps/Step0Preparations.tsx
[warn] src/components/tonieboxes/boxsetup/esp32/legacy/steps/Step0Preparations.tsx
[warn] src/components/tonieboxes/boxsetup/OpenBoxGuide.tsx
[warn] src/components/tonieboxes/tonieboxcard/TonieboxCard.tsx
[warn] src/pages/community/CommunityPage.tsx
[warn] src/pages/community/ContributorsPage.tsx
[warn] Code style issues found in 21 files. Run Prettier with --write to fix.
Error: Process completed with exit code 1.

Please redo this and format it using prettier.

@henryk86 I think the CI doesn't block the integration of the PR, if the formatting is wrong.

@henryk86

henryk86 commented Jun 7, 2026

Copy link
Copy Markdown
Collaborator

Just „ npm run format“ should be necessary to fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants