Open external links using rel="noopener" by laurentpellegrino · Pull Request #293 · jonschlinkert/remarkable

laurentpellegrino · 2018-02-15T10:10:34Z

For performance and security reasons, this patch opens external links using rel="noopener" when target is defined and other than _self.

More details about the reason for this patch are available below:

https://developers.google.com/web/tools/lighthouse/audits/noopener

laurentpellegrino · 2018-02-15T10:14:18Z

@jonschlinkert Do you think it is possible to merge and create a new release for this PR that is about performance and security?

Please note I tried to run tests but there are missing dependencies and the --reset option no longer exists for the version of es-lint that is fetched. Once that fixed, tests run but fail, with or without changes from this PR.

doowb

There's a typo, but other than that, I think this might be okay. The one question I have, is how would someone that expects to be able to use window.opener for an internal link be able to do that? This might need to be handled with an option so users have more control over when noopener is set.

doowb · 2018-02-15T16:51:29Z

  var title = tokens[idx].title ? (' title="' + escapeHtml(replaceEntities(tokens[idx].title)) + '"') : '';
  var target = options.linkTarget ? (' target="' + options.linkTarget + '"') : '';
-  return '<a href="' + escapeHtml(tokens[idx].href) + '"' + title + target + '>';
+  var rel = options.linkTarget && options.linkTarget !== '_self' ? (' ref="noopener"') : '';


This should be rel="noopener".

For performance and security reasons, this patch opens external links using `rel="noopener"` when target is defined and other than `_self`. More details about the reason for this patch are available below: https://developers.google.com/web/tools/lighthouse/audits/noopener

laurentpellegrino · 2018-02-15T17:23:45Z

@doowb Thanks, the typo is fixed.

how would someone that expects to be able to use window.opener for an internal link be able to do that?

In that case, people can set the existing linkTarget option to value _self or leave it empty? The rel attribute is added if the target is different from previously mentioned values.

The fact that we do not have fine grain control over link attributes per link seems to be another problem that is not even yet addressed for the target. I have opened an issue about this point: #291.

doowb · 2018-02-15T17:34:06Z

@lpellegr thanks! I'll leave this open for a few days to see if anyone else has any comments or suggestions about this change.

shockey · 2018-08-03T00:12:55Z

@doowb @lpellegr, any updates on this PR? Is there anything I can do to help get it merged?

doowb · 2018-08-03T01:41:05Z

I'll merge this and try to get it published this weekend. I think some other things have been merged since the last published version so I might have to backport the changes if this should be a patch bump.

doowb · 2018-08-07T18:20:13Z

I didn't forget about this. There are some things that need to be done with the repository before this can be merged.

larsnystrom · 2018-08-09T12:12:48Z

rel="noopener" is not supported in Edge, IE11 or older versions of Firefox. It would be better to use rel="noopener noreferrer", in order to solve this security issue for more browsers. See https://mathiasbynens.github.io/rel-noopener/

rankida · 2018-11-08T10:01:17Z

Is there any update on this PR?

shockey · 2018-11-08T16:28:15Z

FYI: since Remarkable doesn't support this, we've started using DomPurify to handle attaching noopener noreferrer to anchor links.

Here's the plugin we wrote: https://github.com/swagger-api/swagger-ui/blob/59bd9f4988007a0e561a62831f444787b84f6f2c/src/core/components/providers/markdown.jsx#L7-L16

If you're handling user generated Markdown, you should be sanitizing your output anyway! DomPurify is by far the best sanitization library that I've come across 😄

laurentpellegrino · 2018-12-07T13:50:57Z

@doowb any news?

richard-smartbear · 2018-12-24T13:36:38Z

@doowb any news on this? 😸

doowb requested changes Feb 15, 2018

View reviewed changes

doowb approved these changes Feb 15, 2018

View reviewed changes

This was referenced Feb 15, 2018

Allowing custom target per link #291

Open

Opening external anchors using rel="noopener" #292

Open

Repository owner deleted a comment from laurentpellegrino Nov 27, 2019

jonschlinkert reopened this Nov 27, 2019

Repository owner locked as resolved and limited conversation to collaborators Nov 27, 2019

Uh oh!

Conversation

laurentpellegrino commented Feb 15, 2018

Uh oh!

laurentpellegrino commented Feb 15, 2018

Uh oh!

doowb left a comment

Choose a reason for hiding this comment

Uh oh!

doowb Feb 15, 2018

Choose a reason for hiding this comment

Uh oh!

laurentpellegrino commented Feb 15, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

doowb commented Feb 15, 2018

Uh oh!

shockey commented Aug 3, 2018

Uh oh!

doowb commented Aug 3, 2018

Uh oh!

doowb commented Aug 7, 2018

Uh oh!

larsnystrom commented Aug 9, 2018

Uh oh!

rankida commented Nov 8, 2018

Uh oh!

shockey commented Nov 8, 2018

Uh oh!

laurentpellegrino commented Dec 7, 2018

Uh oh!

richard-smartbear commented Dec 24, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

laurentpellegrino commented Feb 15, 2018 •

edited

Loading