Closed Bug 1441493 Opened 8 years ago Closed 8 years ago

Use rel="noopener" for all target != null links

Categories

(Tree Management :: Treeherder: Frontend, enhancement, P1)

Product:
Tree Management
Component:
Treeherder: Frontend
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: emorley, Assigned: emorley)

Details

Attachments

(1 file)

Link to GitHub pull-request: https://github.com/mozilla/treeherder/pull/3275
47 bytes, text/x-github-pull-request
camd
: review+
Details | Review
To prevent: https://www.owasp.org/index.php/Reverse_Tabnabbing https://mathiasbynens.github.io/rel-noopener/ Looking at browser support for `noopener`, we don't need to worry about `noreferrer` (which is a more heavy-handed option, that is only needed for older browsers): https://caniuse.com/#search=noopener We'll also need to ensure we don't add `noopener` to the `login.html` open() since otherwise that will break the callback handling. Other resources: https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Tabnabbing https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
Attachment #8954318 - Flags: review?(cdawson)
Attachment #8954318 - Flags: review?(cdawson) → review+
Commit pushed to master at https://github.com/mozilla/treeherder https://github.com/mozilla/treeherder/commit/bd870cf8cecad32df6ef395a8714f3b7395cc1d3 Bug 1441493 - Use rel="noopener" for all target != null links (#3275) This helps prevent: https://www.owasp.org/index.php/Reverse_Tabnabbing We're not also using `noreferrer`, since most browsers now support `noopener` (https://caniuse.com/#search=noopener) and the link targets are all Mozilla properties where the referrer may be useful. The auth.js `window.open()` has not been changed, since the login callback makes use of `window.opener`.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: