ros/automaker
1
0
Fork 0
mirror of https://github.com/AutoMaker-Org/automaker.git synced 2026-02-03 21:03:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: add noopener,noreferrer to window.open calls

Browse Source 
Add 'noopener,noreferrer' parameter to all window.open() calls with
target='_blank' to prevent tabnabbing attacks. This prevents the newly
opened page from accessing window.opener, protecting against potential
security vulnerabilities.

Affected files:
- use-dev-servers.ts: Dev server URL links
- worktree-actions-dropdown.tsx: PR URL links
- create-pr-dialog.tsx: PR creation and browser fallback links

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Shirone
2026-01-13 19:43:20 +01:00
parent 62af2031f6
commit f4390bc82f
3 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apps/ui/src/components/views/board-view/dialogs/create-pr-dialog.tsx
View File

@@ -117,7 +117,7 @@ export function CreatePRDialog({
description: `PR already exists for ${result.result.branch}`, description: `PR already exists for ${result.result.branch}`,
action: { action: {
label: 'View PR', label: 'View PR',
onClick: () => window.open(result.result!.prUrl!, '_blank'), onClick: () => window.open(result.result!.prUrl!, '_blank', 'noopener,noreferrer'),
}, },
}); });
} else { } else {
@@ -125,7 +125,7 @@ export function CreatePRDialog({
description: `PR created from ${result.result.branch}`, description: `PR created from ${result.result.branch}`,
action: { action: {
label: 'View PR', label: 'View PR',
onClick: () => window.open(result.result!.prUrl!, '_blank'), onClick: () => window.open(result.result!.prUrl!, '_blank', 'noopener,noreferrer'),
}, },
}); });
} }
@@ -251,7 +251,10 @@ export function CreatePRDialog({
<p className="text-sm text-muted-foreground mt-1">Your PR is ready for review</p> <p className="text-sm text-muted-foreground mt-1">Your PR is ready for review</p>
</div> </div>
<div className="flex gap-2 justify-center"> <div className="flex gap-2 justify-center">
<Button onClick={() => window.open(prUrl, '_blank')} className="gap-2"> <Button
onClick={() => window.open(prUrl, '_blank', 'noopener,noreferrer')}
className="gap-2"
>
<ExternalLink className="w-4 h-4" /> <ExternalLink className="w-4 h-4" />
View Pull Request View Pull Request
</Button> </Button>
@@ -277,7 +280,7 @@ export function CreatePRDialog({
<Button <Button
onClick={() => { onClick={() => {
if (browserUrl) { if (browserUrl) {
window.open(browserUrl, '_blank'); window.open(browserUrl, '_blank', 'noopener,noreferrer');
} }
}} }}
className="gap-2 w-full" className="gap-2 w-full"

2
apps/ui/src/components/views/board-view/worktree-panel/components/worktree-actions-dropdown.tsx
View File

@@ -324,7 +324,7 @@ export function WorktreeActionsDropdown({
<> <>
<DropdownMenuItem <DropdownMenuItem
onClick={() => { onClick={() => {
window.open(worktree.pr!.url, '_blank'); window.open(worktree.pr!.url, '_blank', 'noopener,noreferrer');
}} }}
className="text-xs" className="text-xs"
> >

2
apps/ui/src/components/views/board-view/worktree-panel/hooks/use-dev-servers.ts
View File

@@ -143,7 +143,7 @@ export function useDevServers({ projectPath }: UseDevServersOptions) {
} }
devServerUrl.hostname = window.location.hostname; devServerUrl.hostname = window.location.hostname;
window.open(devServerUrl.toString(), '_blank'); window.open(devServerUrl.toString(), '_blank', 'noopener,noreferrer');
} catch (error) { } catch (error) {
logger.error('Failed to parse dev server URL:', error); logger.error('Failed to parse dev server URL:', error);
toast.error('Failed to open dev server', { toast.error('Failed to open dev server', {