[security] target="_blank" without rel="noopener" #315
Labels
topic/security
Something leaks user information or is otherwise vulnerable. Should be fixed!
type/bug
Milestone
https://github.com/go-gitea/gitea/blob/bad1bc6/models/repo.go#L502
If you have links to another origin, you should use
rel="noopener"
, especially if they open in a new tab/window.Without this, the new page can access your window object via window.opener. Thankfully the origin security model of the web prevents it reading your page, but no-thankfully some legacy APIs mean it can navigate your page to a different URL using
window.opener.location = newURL
.Refs
The text was updated successfully, but these errors were encountered: