fix: add rel="noopener noreferrer" to web console links opening in a new tab (#19483)

wlswo · web-flow · commit 1d87a74ed7d3 · 2026-05-19T09:47:19.000-07:00
Several Blueprint MenuItem and AnchorButton usages in the web console
open external links in a new tab via target="_blank" but do not set the
companion rel attribute. Unlike the project's own ExternalLink
component, Blueprint does not inject rel="noopener noreferrer"
automatically (verified against the rendered HTML in about-dialog's
snapshot), so each new tab can reach back into the opener window and
the destination receives a Referer header.

Add rel="noopener noreferrer" to every existing target="_blank" call
site that was missing it: the help menu and Explore link in the header
bar, the "Visit Druid" button in the about dialog, the DruidSQL docs
menu item in the workbench, the array ingest mode docs menu item in the
run panel, the flattenSpec help button in the load-data view, and the
"Learn more" button in the SQL data loader schema step.

Snapshot tests are updated to match the new rendered HTML; no other
behavior changes.
diff --git a/web-console/src/components/header-bar/__snapshots__/header-bar.spec.tsx.snap b/web-console/src/components/header-bar/__snapshots__/header-bar.spec.tsx.snap
@@ -179,6 +179,7 @@ exports[`HeaderBar matches snapshot 1`] = `
             }
             multiline={false}
             popoverProps={{}}
+            rel="noopener noreferrer"
             selected={false}
             shouldDismissPopover={true}
             target="_blank"
@@ -390,6 +391,7 @@ exports[`HeaderBar matches snapshot 1`] = `
             icon="th"
             multiline={false}
             popoverProps={{}}
+            rel="noopener noreferrer"
             shouldDismissPopover={true}
             target="_blank"
             text="Docs"
@@ -401,6 +403,7 @@ exports[`HeaderBar matches snapshot 1`] = `
             icon="user"
             multiline={false}
             popoverProps={{}}
+            rel="noopener noreferrer"
             shouldDismissPopover={true}
             target="_blank"
             text="User group"
@@ -412,6 +415,7 @@ exports[`HeaderBar matches snapshot 1`] = `
             icon="chat"
             multiline={false}
             popoverProps={{}}
+            rel="noopener noreferrer"
             shouldDismissPopover={true}
             target="_blank"
             text="Slack channel"
@@ -423,6 +427,7 @@ exports[`HeaderBar matches snapshot 1`] = `
             icon="git-branch"
             multiline={false}
             popoverProps={{}}
+            rel="noopener noreferrer"
             shouldDismissPopover={true}
             target="_blank"
             text="GitHub"
diff --git a/web-console/src/components/header-bar/header-bar.tsx b/web-console/src/components/header-bar/header-bar.tsx
@@ -133,31 +133,41 @@ export const HeaderBar = React.memo(function HeaderBar(props: HeaderBarProps) {
         disabled={!capabilities.hasSql()}
         selected={activeView === 'explore'}
         target="_blank"
+        rel="noopener noreferrer"
       />
     </Menu>
   );
 
   const helpMenu = (
     <Menu>
       <MenuItem icon={IconNames.GRAPH} text="About" onClick={() => setAboutDialogOpen(true)} />
-      <MenuItem icon={IconNames.TH} text="Docs" href={getLink('DOCS')} target="_blank" />
+      <MenuItem
+        icon={IconNames.TH}
+        text="Docs"
+        href={getLink('DOCS')}
+        target="_blank"
+        rel="noopener noreferrer"
+      />
       <MenuItem
         icon={IconNames.USER}
         text="User group"
         href={getLink('USER_GROUP')}
         target="_blank"
+        rel="noopener noreferrer"
       />
       <MenuItem
         icon={IconNames.CHAT}
         text="Slack channel"
         href={getLink('SLACK')}
         target="_blank"
+        rel="noopener noreferrer"
       />
       <MenuItem
         icon={IconNames.GIT_BRANCH}
         text="GitHub"
         href={getLink('GITHUB')}
         target="_blank"
+        rel="noopener noreferrer"
       />
     </Menu>
   );
diff --git a/web-console/src/dialogs/about-dialog/__snapshots__/about-dialog.spec.tsx.snap b/web-console/src/dialogs/about-dialog/__snapshots__/about-dialog.spec.tsx.snap
@@ -140,6 +140,7 @@ exports[`AboutDialog matches snapshot 1`] = `
               aria-disabled="false"
               class="bp5-button bp5-intent-primary"
               href="https://druid.apache.org"
+              rel="noopener noreferrer"
               role="button"
               target="_blank"
             >
diff --git a/web-console/src/dialogs/about-dialog/about-dialog.tsx b/web-console/src/dialogs/about-dialog/about-dialog.tsx
@@ -57,7 +57,12 @@ export const AboutDialog = React.memo(function AboutDialog(props: AboutDialogPro
       <div className={Classes.DIALOG_FOOTER}>
         <div className={Classes.DIALOG_FOOTER_ACTIONS}>
           <Button onClick={onClose}>Close</Button>
-          <AnchorButton intent={Intent.PRIMARY} href={getLink('WEBSITE')} target="_blank">
+          <AnchorButton
+            intent={Intent.PRIMARY}
+            href={getLink('WEBSITE')}
+            target="_blank"
+            rel="noopener noreferrer"
+          >
             Visit Druid
           </AnchorButton>
         </div>
diff --git a/web-console/src/views/load-data-view/load-data-view.tsx b/web-console/src/views/load-data-view/load-data-view.tsx
@@ -1767,6 +1767,7 @@ export class LoadDataView extends React.PureComponent<LoadDataViewProps, LoadDat
             icon={IconNames.INFO_SIGN}
             href={`${getLink('DOCS')}/ingestion/data-formats#flattenspec`}
             target="_blank"
+            rel="noopener noreferrer"
             minimal
           />
         </FormGroup>
diff --git a/web-console/src/views/sql-data-loader-view/schema-step/schema-step.tsx b/web-console/src/views/sql-data-loader-view/schema-step/schema-step.tsx
@@ -985,6 +985,7 @@ export const SchemaStep = function SchemaStep(props: SchemaStepProps) {
                   text="Learn more..."
                   href={`${getLink('DOCS')}/ingestion/schema-model#primary-timestamp`}
                   target="_blank"
+                  rel="noopener noreferrer"
                   intent={Intent.WARNING}
                   minimal
                 />
diff --git a/web-console/src/views/workbench-view/run-panel/run-panel.tsx b/web-console/src/views/workbench-view/run-panel/run-panel.tsx
@@ -478,6 +478,7 @@ export const RunPanel = React.memo(function RunPanel(props: RunPanelProps) {
                         text="Documentation"
                         href={`${getLink('DOCS')}/querying/arrays#arrayingestmode`}
                         target="_blank"
+                        rel="noopener noreferrer"
                       />
                     </MenuItem>
                     <MenuBoolean
diff --git a/web-console/src/views/workbench-view/workbench-view.tsx b/web-console/src/views/workbench-view/workbench-view.tsx
@@ -867,6 +867,7 @@ export class WorkbenchView extends React.PureComponent<WorkbenchViewProps, Workb
                   text="DruidSQL documentation"
                   href={getLink('DOCS_SQL')}
                   target="_blank"
+                  rel="noopener noreferrer"
                 />
               )}
               {queryEngines.includes('sql-msq-task') &&

Original file line number	Diff line number	Diff line change
@@ -140,6 +140,7 @@ exports[`AboutDialog matches snapshot 1`] = `
`140`	`140`	`aria-disabled="false"`
`141`	`141`	`class="bp5-button bp5-intent-primary"`
`142`	`142`	`href="https://druid.apache.org"`
	`143`	`+ rel="noopener noreferrer"`
`143`	`144`	`role="button"`
`144`	`145`	`target="_blank"`
`145`	`146`	`>`