Closed
Description
https://github.com/go-gitea/gitea/blob/bad1bc6/models/repo.go#L502
If you have links to another origin, you should use rel="noopener", especially if they open in a new tab/window.
<a href="http://example.com" target="_blank" rel="noopener">
Example site
</a>Without this, the new page can access your window object via window.opener. Thankfully the origin security model of the web prevents it reading your page, but no-thankfully some legacy APIs mean it can navigate your page to a different URL using window.opener.location = newURL.
Refs
- https://mathiasbynens.github.io/rel-noopener/
- https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/
- https://sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener
- https://github.com/danielstjules/blankshield
- https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
- https://dev.to/ben/the-targetblank-vulnerability-by-example
- https://github.com/cure53/H5SC#html5-security-cheatsheet
- https://github.com/cure53/DOMPurify