Skip to content

Security: Reverse tabnabbing risk from target="_blank" links without rel protections#2230

Open
tuanaiseo wants to merge 1 commit intowxt-dev:mainfrom
tuanaiseo:contribai/fix/security/reverse-tabnabbing-risk-from-target-blan
Open

Security: Reverse tabnabbing risk from target="_blank" links without rel protections#2230
tuanaiseo wants to merge 1 commit intowxt-dev:mainfrom
tuanaiseo:contribai/fix/security/reverse-tabnabbing-risk-from-target-blan

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented Apr 3, 2026

Problem

Multiple templates open external sites in new tabs with target="_blank" but without rel="noopener noreferrer". Opened pages can access window.opener and potentially navigate the originating extension page.

Severity: low
File: templates/react/entrypoints/popup/App.tsx

Solution

Add rel="noopener noreferrer" to all external links using target="_blank" across templates and docs components.

Changes

  • templates/react/entrypoints/popup/App.tsx (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tuanaiseo
fix(security): reverse tabnabbing risk from target="_blank" lin
f85fdc3 
Multiple templates open external sites in new tabs with `target="_blank"` but without `rel="noopener noreferrer"`. Opened pages can access `window.opener` and potentially navigate the originating extension page.

Affected files: App.tsx

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
@tuanaiseo tuanaiseo requested a review from aklinker1 as a code owner April 3, 2026 23:07
@netlify
Copy link
Copy Markdown

netlify bot commented Apr 3, 2026
edited
Loading

Deploy Preview for creative-fairy-df92c4 ready!

Name Link
🔨 Latest commit f85fdc3
🔍 Latest deploy log https://app.netlify.com/projects/creative-fairy-df92c4/deploys/69d04846e6965f0008dbdb66
😎 Deploy Preview https://deploy-preview-2230--creative-fairy-df92c4.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@PatrykKuniczak
Copy link
Copy Markdown
Collaborator

PatrykKuniczak commented Apr 5, 2026
edited
Loading

@tuanaiseo It's even possible to reffer to popup from outer page.
Popup'll be closed on open X page.

Both PRs looks like, vibe hacking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aklinker1 aklinker1 Awaiting requested review from aklinker1 aklinker1 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@tuanaiseo tuanaiseo

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tuanaiseo @PatrykKuniczak