search

imyjimmy / hacktoberfest-app

A repo for people to make random PR's to for Hacktoberfest
1 stars 5 forks source link

Security Issue: Using target="_blank" without rel="noopener noreferrer" #2

Closed imyjimmy closed 4 years ago

imyjimmy commented 4 years ago

I approved a PR that builds but only after setting CI to false in netlify. I approved it because it still builds, but it has now introduced the following security issue:

12:23:40 PM: Most CI servers set it automatically.
12:23:40 PM: 
12:23:40 PM: Failed to compile.
12:23:40 PM: 
12:23:40 PM: ./src/navbar/Header.js
12:23:40 PM:   Line 21:115:  Using target="_blank" without rel="noopener noreferrer" is a security risk: see https://mathiasbynens.github.io/rel-noopener  react/jsx-no-target-blank
12:23:40 PM: error Command failed with exit code 1.

If someone else can resolve the issue, that would be a worthwhile #hacktoberfest PR.

marnixbouhuis commented 4 years ago

Hi @imyjimmy

Having a link with target set to blank allows the new window to get access your site by using window.opener I can fix this, can you assign me?

Adding rel="noopener noreferrer" will remove the referrer header and window.opener.

luisFilipePT commented 4 years ago

@MarnixBouhuis sorry we opened a PR at the same time I guess.

Gonna close mine 😄

marnixbouhuis commented 4 years ago

Oops, sorry