Maniphest T214821

Reference previews use target=_blank without rel=noopener
Closed, DuplicatePublic
Actions

Assigned To

None

Authored By

	Schnark
	Jan 28 2019, 8:57 AM

Tags

Referenced Files

None

Subscribers

Description

https://phabricator.wikimedia.org/diffusion/EPOP/browse/master/src/ui/renderer.js$252 sets target="_blank", but does not set rel="noopener". See https://mathiasbynens.github.io/rel-noopener/ as an explanation why this is insecure.
For reference: The same issue for core MediaWiki was T133507, and was fixed by adding rel="noopener noreferrer" (for older browsers) to all links with target="_blank". The same should be done here, too.

Related Objects

Mentioned Here: T133507: Careless use of $wgExternalLinkTarget is insecure

Event Timeline

Schnark created this task.Jan 28 2019, 8:57 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 28 2019, 8:57 AM

Schnark added projects: Reference Previews, Page-Previews.Jan 28 2019, 8:57 AM

Addshore closed this task as a duplicate of T214776: Reference popups add _blank target without rel=noopener.Jan 28 2019, 10:20 AM

Addshore added a subscriber: WMDE-Fisch.

Addshore added subscribers: thiemowmde, JStrodt_WMDE, • Lea_WMDE.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 29 2019, 6:13 AM

• chasemp added a project: Security.Feb 10 2020, 10:51 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM