Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open external links using rel="noopener" #293

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Open external links using rel="noopener" #293

wants to merge 1 commit into from

Conversation

lpellegr
Copy link

For performance and security reasons, this patch opens external links using rel="noopener" when target is defined and other than _self.

More details about the reason for this patch are available below:

https://developers.google.com/web/tools/lighthouse/audits/noopener

@lpellegr
Copy link
Author

@jonschlinkert Do you think it is possible to merge and create a new release for this PR that is about performance and security?

Please note I tried to run tests but there are missing dependencies and the --reset option no longer exists for the version of es-lint that is fetched. Once that fixed, tests run but fail, with or without changes from this PR.

doowb
doowb requested changes Feb 15, 2018
View reviewed changes
Copy link
Collaborator

@doowb doowb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a typo, but other than that, I think this might be okay. The one question I have, is how would someone that expects to be able to use window.opener for an internal link be able to do that? This might need to be handled with an option so users have more control over when noopener is set.

lib/rules.js Outdated
@@ -157,7 +157,8 @@ rules.paragraph_close = function(tokens, idx /*, options, env */) {
rules.link_open = function(tokens, idx, options /* env */) {
var title = tokens[idx].title ? (' title="' + escapeHtml(replaceEntities(tokens[idx].title)) + '"') : '';
var target = options.linkTarget ? (' target="' + options.linkTarget + '"') : '';
return '<a href="' + escapeHtml(tokens[idx].href) + '"' + title + target + '>';
var rel = options.linkTarget && options.linkTarget !== '_self' ? (' ref="noopener"') : '';
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be rel="noopener".

@lpellegr
Open external links using rel="noopener"
5d6fd01 
For performance and security reasons, this patch opens external links using `rel="noopener"` when target is defined and other than `_self`.

More details about the reason for this patch are available below:

https://developers.google.com/web/tools/lighthouse/audits/noopener
@lpellegr
Copy link
Author

lpellegr commented Feb 15, 2018
edited
Loading

@doowb Thanks, the typo is fixed.

how would someone that expects to be able to use window.opener for an internal link be able to do that?

In that case, people can set the existing linkTarget option to value _self or leave it empty? The rel attribute is added if the target is different from previously mentioned values.

The fact that we do not have fine grain control over link attributes per link seems to be another problem that is not even yet addressed for the target. I have opened an issue about this point: #291.

@doowb
Copy link
Collaborator

doowb commented Feb 15, 2018

@lpellegr thanks! I'll leave this open for a few days to see if anyone else has any comments or suggestions about this change.

This was referenced Feb 15, 2018
Open
Open
@shockey
Copy link
Collaborator

shockey commented Aug 3, 2018

@doowb @lpellegr, any updates on this PR? Is there anything I can do to help get it merged?

@doowb
Copy link
Collaborator

doowb commented Aug 3, 2018

I'll merge this and try to get it published this weekend. I think some other things have been merged since the last published version so I might have to backport the changes if this should be a patch bump.

@doowb
Copy link
Collaborator

doowb commented Aug 7, 2018

I didn't forget about this. There are some things that need to be done with the repository before this can be merged.

@larsnystrom
Copy link

rel="noopener" is not supported in Edge, IE11 or older versions of Firefox. It would be better to use rel="noopener noreferrer", in order to solve this security issue for more browsers. See https://mathiasbynens.github.io/rel-noopener/

@rankida
Copy link

rankida commented Nov 8, 2018

Is there any update on this PR?

@shockey
Copy link
Collaborator

shockey commented Nov 8, 2018

FYI: since Remarkable doesn't support this, we've started using DomPurify to handle attaching noopener noreferrer to anchor links.

Here's the plugin we wrote: https://github.com/swagger-api/swagger-ui/blob/59bd9f4988007a0e561a62831f444787b84f6f2c/src/core/components/providers/markdown.jsx#L7-L16

If you're handling user generated Markdown, you should be sanitizing your output anyway! DomPurify is by far the best sanitization library that I've come across 😄

@lpellegr
Copy link
Author

lpellegr commented Dec 7, 2018

@doowb any news?

@richard-smartbear
Copy link

@doowb any news on this? 😸

@lpellegr lpellegr closed this Nov 26, 2019
Repository owner deleted a comment from lpellegr Nov 27, 2019
@jonschlinkert jonschlinkert reopened this Nov 27, 2019
Repository owner locked as resolved and limited conversation to collaborators Nov 27, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@doowb doowb doowb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@lpellegr @doowb @shockey @larsnystrom @rankida @richard-smartbear @jonschlinkert