opensourcemirror
/
cockpit
mirror of https://github.com/cockpit-project/cockpit.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix and enforce `noopener noreferrer` on `target=_blank` 

See https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Also prefer `rel` to `referrerpolicy` since it is much better supported:
https://developer.mozilla.org/en-US/docs/Web/API/HTMLAnchorElement/rel
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Closes #12767
This commit is contained in:
Matej Marusak 2019-09-11 10:07:10 +02:00 committed by Martin Pitt
parent 9eb7ce7551
commit 92875a13ce
3 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.eslintrc.json
View File

@ -40,7 +40,6 @@
"react/jsx-indent-props": "off",
"react/jsx-key": "off",
"react/jsx-handler-names": "off",
"react/jsx-no-target-blank": "off",
"react/jsx-closing-bracket-location": "off",
"react/jsx-closing-tag-location": "off",
"react/jsx-curly-newline": "off",

2
pkg/apps/application.jsx
View File

@ -63,7 +63,7 @@ export class Application extends React.Component {
return urls.map(url => {
if (url.type == 'homepage') {
return (<div className="app-links" key={url.link}>
<a href={url.link} target="_blank" rel="noopener" data-linkedhost={url.link}>
<a href={url.link} target="_blank" rel="noopener noreferrer" data-linkedhost={url.link}>
View Project Website <i className="fa fa-external-link" aria-hidden="true" />
</a>
</div>);

8
pkg/packagekit/updates.jsx
View File

@ -223,7 +223,7 @@ class UpdateItem extends React.Component {
if (info.bug_urls && info.bug_urls.length) {
// we assume a bug URL ends with a number; if not, show the complete URL
bugs = insertCommas(info.bug_urls.map(url => (
<a key={url} rel="noopener" referrerPolicy="no-referrer" target="_blank" href={url}>
<a key={url} rel="noopener noreferrer" target="_blank" href={url}>
{url.match(/[0-9]+$/) || url}
</a>)
));
@ -232,7 +232,7 @@ class UpdateItem extends React.Component {
var cves = null;
if (info.cve_urls && info.cve_urls.length) {
cves = insertCommas(info.cve_urls.map(url => (
<a key={url} href={url} rel="noopener" referrerPolicy="no-referrer" target="_blank">
<a key={url} href={url} rel="noopener noreferrer" target="_blank">
{url.match(/[^/=]+$/)}
</a>)
));
@ -241,7 +241,7 @@ class UpdateItem extends React.Component {
var errata = null;
if (info.vendor_urls) {
errata = insertCommas(info.vendor_urls.filter(url => url.indexOf("/errata/") > 0).map(url => (
<a key={url} href={url} rel="noopener" referrerPolicy="no-referrer" target="_blank">
<a key={url} href={url} rel="noopener noreferrer" target="_blank">
{url.match(/[^/=]+$/)}
</a>)
));
@ -255,7 +255,7 @@ class UpdateItem extends React.Component {
var type;
if (info.severity === PK.Enum.INFO_SECURITY) {
if (secSeverityURL)
secSeverityURL = <a rel="noopener" referrerPolicy="no-referrer" target="_blank" href={secSeverityURL}>{secSeverity}</a>;
secSeverityURL = <a rel="noopener noreferrer" target="_blank" href={secSeverityURL}>{secSeverity}</a>;
type = (
<>
<OverlayTrigger overlay={ <Tooltip id="tip-severity">{ secSeverity || _("security") }</Tooltip> } placement="top">