Page MenuHomePhabricator

Reference previews use target=_blank without rel=noopener
Closed, DuplicatePublic

Description

https://phabricator.wikimedia.org/diffusion/EPOP/browse/master/src/ui/renderer.js$252 sets target="_blank", but does not set rel="noopener". See https://mathiasbynens.github.io/rel-noopener/ as an explanation why this is insecure.
For reference: The same issue for core MediaWiki was T133507, and was fixed by adding rel="noopener noreferrer" (for older browsers) to all links with target="_blank". The same should be done here, too.