security: add noopener,noreferrer to window.open calls

Add 'noopener,noreferrer' parameter to all window.open() calls with target='_blank' to prevent tabnabbing attacks. This prevents the newly opened page from accessing window.opener, protecting against potential security vulnerabilities. Affected files: - use-dev-servers.ts: Dev server URL links - worktree-actions-dropdown.tsx: PR URL links - create-pr-dialog.tsx: PR creation and browser fallback links Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-31 06:42:03 +00:00 · 2026-01-13 19:43:20 +01:00
parent 62af2031f6
commit f4390bc82f
3 changed files with 9 additions and 6 deletions
--- a/apps/ui/src/components/views/board-view/dialogs/create-pr-dialog.tsx
+++ b/apps/ui/src/components/views/board-view/dialogs/create-pr-dialog.tsx
@@ -117,7 +117,7 @@ export function CreatePRDialog({
              description: `PR already exists for ${result.result.branch}`,
              action: {
                label: 'View PR',
-                onClick: () => window.open(result.result!.prUrl!, '_blank'),
+                onClick: () => window.open(result.result!.prUrl!, '_blank', 'noopener,noreferrer'),
              },
            });
          } else {
@@ -125,7 +125,7 @@ export function CreatePRDialog({
              description: `PR created from ${result.result.branch}`,
              action: {
                label: 'View PR',
-                onClick: () => window.open(result.result!.prUrl!, '_blank'),
+                onClick: () => window.open(result.result!.prUrl!, '_blank', 'noopener,noreferrer'),
              },
            });
          }
@@ -251,7 +251,10 @@ export function CreatePRDialog({
              <p className="text-sm text-muted-foreground mt-1">Your PR is ready for review</p>
            </div>
            <div className="flex gap-2 justify-center">
-              <Button onClick={() => window.open(prUrl, '_blank')} className="gap-2">
+              <Button
+                onClick={() => window.open(prUrl, '_blank', 'noopener,noreferrer')}
+                className="gap-2"
+              >
                <ExternalLink className="w-4 h-4" />
                View Pull Request
              </Button>
@@ -277,7 +280,7 @@ export function CreatePRDialog({
              <Button
                onClick={() => {
                  if (browserUrl) {
-                    window.open(browserUrl, '_blank');
+                    window.open(browserUrl, '_blank', 'noopener,noreferrer');
                  }
                }}
                className="gap-2 w-full"
--- a/apps/ui/src/components/views/board-view/worktree-panel/components/worktree-actions-dropdown.tsx
+++ b/apps/ui/src/components/views/board-view/worktree-panel/components/worktree-actions-dropdown.tsx
@@ -324,7 +324,7 @@ export function WorktreeActionsDropdown({
          <>
            <DropdownMenuItem
              onClick={() => {
-                window.open(worktree.pr!.url, '_blank');
+                window.open(worktree.pr!.url, '_blank', 'noopener,noreferrer');
              }}
              className="text-xs"
            >
--- a/apps/ui/src/components/views/board-view/worktree-panel/hooks/use-dev-servers.ts
+++ b/apps/ui/src/components/views/board-view/worktree-panel/hooks/use-dev-servers.ts
@@ -143,7 +143,7 @@ export function useDevServers({ projectPath }: UseDevServersOptions) {
        }

        devServerUrl.hostname = window.location.hostname;
-        window.open(devServerUrl.toString(), '_blank');
+        window.open(devServerUrl.toString(), '_blank', 'noopener,noreferrer');
      } catch (error) {
        logger.error('Failed to parse dev server URL:', error);
        toast.error('Failed to open dev server', {