From abd24a98e6ce54262d689e449394c6ccbac8a38a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erkki=20Sepp=C3=A4l=C3=A4?= <flux@inside.org>
Date: Sun, 20 Oct 2019 13:33:07 +0300
Subject: [PATCH] Set the noreferrer attribute to links and images

An alternative fix to vector-im/riot-web#6147 which for some reason
the PR vector-im/riot-web#6155 is not yet merged.

The key difference is that the riot-web PR vector-im/riot-web#6155
uses HTML meta header for noreferrer, while this one adds the
rel-attribute to include the noreferrer keyword in both user-created
links as well as links converted from incoming events.

I guess it's up to the maintainers then to pick and choose, but please
do ;).
---
 src/HtmlUtils.js      | 2 ++
 src/linkify-matrix.js | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js
index 2266522bfec..914ab7ff3f2 100644
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@@ -167,6 +167,7 @@ const transformTags = { // custom to matrix
             }
         }
         attribs.rel = 'noopener'; // https://mathiasbynens.github.io/rel-noopener/
+        attribs.rel += ' noreferrer';
         return { tagName, attribs };
     },
     'img': function(tagName, attribs) {
@@ -181,6 +182,7 @@ const transformTags = { // custom to matrix
             attribs.width || 800,
             attribs.height || 600,
         );
+        attribs.rel = 'noreferrer';
         return { tagName, attribs };
     },
     'code': function(tagName, attribs) {
diff --git a/src/linkify-matrix.js b/src/linkify-matrix.js
index fabd9d15adc..54ba09c6e52 100644
--- a/src/linkify-matrix.js
+++ b/src/linkify-matrix.js
@@ -227,7 +227,7 @@ matrixLinkify.options = {
     },
 
     linkAttributes: {
-        rel: 'noopener',
+        rel: 'noopener noreferrer',
     },
 
     target: function(href, type) {