Page MenuHomePhabricator

Reference popups add _blank target without rel=noopener
Closed, ResolvedPublic

Description

I haven't actually tested this, so forgive me if I misunderstand the code.

It looks like in src/ui/renderer.js line 252:

$el.find( '.mwe-popups-extract a[href]' ).each( ( i, a ) => {
        a.target = '_blank';
} );

Looks like all the links are getting target _blank, and these links are user controlled, but there is no nopener set. This could be useful to certain types of phising attacks. Its not a super critical thing, but please set rel=noopener for links that get target=_blank. (e.g. https://mathiasbynens.github.io/rel-noopener/ )

Event Timeline

Bawolff created this task.Jan 27 2019, 6:05 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 27 2019, 6:05 AM
thiemowmde triaged this task as Low priority.
thiemowmde moved this task from Backlog to Doing on the Reference Previews board.

Probably having no access to security tickets ;-)

Oh. I suggest to lift the limitation from this and the other ticket T214754, as both are not exploitable on any production server.

Bawolff closed this task as Resolved.Jan 28 2019, 3:28 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".

That was quick!

Thanks for addressing this so quickly.