security: add noopener,noreferrer to window.open calls

Add 'noopener,noreferrer' parameter to all window.open() calls with target='_blank' to prevent tabnabbing attacks. This prevents the newly opened page from accessing window.opener, protecting against potential security vulnerabilities. Affected files: - use-dev-servers.ts: Dev server URL links - worktree-actions-dropdown.tsx: PR URL links - create-pr-dialog.tsx: PR creation and browser fallback links Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-02 20:43:36 +00:00 · 2026-01-13 19:43:20 +01:00
parent 62af2031f6
commit f4390bc82f
3 changed files with 9 additions and 6 deletions
--- a/apps/ui/src/components/views/board-view/worktree-panel/components/worktree-actions-dropdown.tsx
+++ b/apps/ui/src/components/views/board-view/worktree-panel/components/worktree-actions-dropdown.tsx
@@ -324,7 +324,7 @@ export function WorktreeActionsDropdown({
          <>
            <DropdownMenuItem
              onClick={() => {
-                window.open(worktree.pr!.url, '_blank');
+                window.open(worktree.pr!.url, '_blank', 'noopener,noreferrer');
              }}
              className="text-xs"
            >
--- a/apps/ui/src/components/views/board-view/worktree-panel/hooks/use-dev-servers.ts
+++ b/apps/ui/src/components/views/board-view/worktree-panel/hooks/use-dev-servers.ts
@@ -143,7 +143,7 @@ export function useDevServers({ projectPath }: UseDevServersOptions) {
        }

        devServerUrl.hostname = window.location.hostname;
-        window.open(devServerUrl.toString(), '_blank');
+        window.open(devServerUrl.toString(), '_blank', 'noopener,noreferrer');
      } catch (error) {
        logger.error('Failed to parse dev server URL:', error);
        toast.error('Failed to open dev server', {