Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add noopener and noreferrer to new window links #221

Merged
merged 1 commit into from Jan 4, 2017
Merged

Add noopener and noreferrer to new window links #221

merged 1 commit into from Jan 4, 2017

Conversation

@fofr
Copy link
Contributor

@fofr fofr commented Jan 4, 2017

Fixes #217

We're using [target=_blank] which has a vulnerability
https://mathiasbynens.github.io/rel-noopener/

“To prevent pages from abusing window.opener, use rel=noopener. This
ensures window.opener is null in Chrome 49 and Opera 36.”

“For older browsers, you could use rel=noreferrer which also disables
the Referer HTTP header”

@nickcolley

Fixes #217

We're using `[target=_blank]` which has a vulnerability
https://mathiasbynens.github.io/rel-noopener/

“To prevent pages from abusing window.opener, use rel=noopener. This
ensures window.opener is null in Chrome 49 and Opera 36.”

“For older browsers, you could use rel=noreferrer which also disables
the Referer HTTP header”
@boffbowsh boffbowsh temporarily deployed to government-frontend-pr-221 Jan 4, 2017 Inactive
@nickcolley
Copy link
Contributor

@nickcolley nickcolley commented Jan 4, 2017

Tested this by clicking through and checking 'window.opener', looks good! 👍

I'll also raise issues on the other frontend applications that have this problem.

@nickcolley nickcolley merged commit 237f8b0 into master Jan 4, 2017
1 check passed
1 check passed
@govuk-ci
continuous-integration/jenkins/branch This commit looks good
Details
@nickcolley nickcolley deleted the no-opener branch Jan 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants