Add noopener and noreferrer to new window links #221

Merged
merged 1 commit into from Jan 4, 2017

Projects

None yet

3 participants

@fofr
Member
fofr commented Jan 4, 2017 edited

Fixes #217

We're using [target=_blank] which has a vulnerability
https://mathiasbynens.github.io/rel-noopener/

“To prevent pages from abusing window.opener, use rel=noopener. This
ensures window.opener is null in Chrome 49 and Opera 36.”

“For older browsers, you could use rel=noreferrer which also disables
the Referer HTTP header”

@nickcolley

@fofr fofr Add noopener and noreferrer to new window links
Fixes #217

We're using `[target=_blank]` which has a vulnerability
https://mathiasbynens.github.io/rel-noopener/

“To prevent pages from abusing window.opener, use rel=noopener. This
ensures window.opener is null in Chrome 49 and Opera 36.”

“For older browsers, you could use rel=noreferrer which also disables
the Referer HTTP header”
def3f77
@boffbowsh boffbowsh temporarily deployed to government-frontend-pr-221 Jan 4, 2017 Inactive
@nickcolley
Contributor

Tested this by clicking through and checking 'window.opener', looks good! 👍

I'll also raise issues on the other frontend applications that have this problem.

@nickcolley nickcolley merged commit 237f8b0 into master Jan 4, 2017

1 check passed

continuous-integration/jenkins/branch This commit looks good
Details
@nickcolley nickcolley deleted the no-opener branch Jan 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment