🔒 [security] Fix Reverse Tabnabbing Vulnerability via target='_blank'

[sunnylqm]

🎯 What: The vulnerability fixed is Reverse Tabnabbing, where a page opened via target="_blank" can control the original page via window.opener.

⚠️ Risk: If a user clicks a link to a malicious external site, that site could redirect the original tab to a phishing page, potentially stealing user credentials or other sensitive information.

🛡️ Solution: Added rel="noopener noreferrer" to all Button and a tags that use target="_blank". This ensures that the newly opened page does not have access to the window.opener object and that no referrer information is sent to the target page.

---

PR created automatically by Jules for task 13889870270911040278 started by @sunnylqm

Summary by CodeRabbit

• Bug Fixes
  • Improved security handling for external links that open in new browser tabs by updating link relationship attributes across multiple components and pages.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[netlify]

✅ Deploy Preview for pushy ready!

Name	Link
🔨 Latest commit	d573ec4
🔍 Latest deploy log	https://app.netlify.com/projects/pushy/deploys/69d1414a44317d00095d3a9f
😎 Deploy Preview	https://deploy-preview-23--pushy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 316f5d12-6840-45f7-887c-12cae1da6433

📥 Commits

Reviewing files that changed from the base of the PR and between 06aa0c8 and d573ec4.

📒 Files selected for processing (7)

• src/components/main-layout.tsx
• src/components/sider.tsx
• src/pages/api-tokens.tsx
• src/pages/manage/components/commit.tsx
• src/pages/manage/components/version-table.tsx
• src/pages/register.tsx
• src/pages/user.tsx

---

📝 Walkthrough

Walkthrough

Across seven files, external links with target="_blank" are updated with enhanced security attributes. The rel attribute is standardized to "noopener noreferrer" across components and pages, ensuring consistent cross-window security handling while maintaining all existing functionality.

Changes

Cohort / File(s)	Summary
Layout Component Links src/components/main-layout.tsx, src/components/sider.tsx	Updated rel attribute for external links to include noopener alongside noreferrer for improved security when opening links in new tabs.
Page External Links src/pages/api-tokens.tsx, src/pages/register.tsx, src/pages/user.tsx	Standardized rel attributes on external links pointing to API documentation, user agreements, and pricing pages to use "noopener noreferrer".
Management Component Links src/pages/manage/components/commit.tsx, src/pages/manage/components/version-table.tsx	Updated rel attributes for external commit hash and QR code links to enforce consistent security relationship handling.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Poem

🐰 With whiskers twitched and nose held high,
I've sealed each link that points outside,
No opener creeps through borders crossed,
No referrer secrets to be lost,
Security wrapped, both safe and spry! 🔒

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding security attributes to fix a reverse tabnabbing vulnerability via target='_blank' links across multiple components.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-security-reverse-tabnabbing-13889870270911040278

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}