remarkable icon indicating copy to clipboard operation
remarkable copied to clipboard

Published 20 hours ago verified publisher icon jonschlinkert

Open external links using rel="noopener"

Open laurentpellegrino opened this issue 7 years ago • 11 comments

For performance and security reasons, this patch opens external links using rel="noopener" when target is defined and other than _self.

More details about the reason for this patch are available below:

https://developers.google.com/web/tools/lighthouse/audits/noopener

laurentpellegrino avatar Feb 15 '18 10:02 laurentpellegrino

@jonschlinkert Do you think it is possible to merge and create a new release for this PR that is about performance and security?

Please note I tried to run tests but there are missing dependencies and the --reset option no longer exists for the version of es-lint that is fetched. Once that fixed, tests run but fail, with or without changes from this PR.

laurentpellegrino avatar Feb 15 '18 10:02 laurentpellegrino

@doowb Thanks, the typo is fixed.

how would someone that expects to be able to use window.opener for an internal link be able to do that?

In that case, people can set the existing linkTarget option to value _self or leave it empty? The rel attribute is added if the target is different from previously mentioned values.

The fact that we do not have fine grain control over link attributes per link seems to be another problem that is not even yet addressed for the target. I have opened an issue about this point: https://github.com/jonschlinkert/remarkable/issues/291.

laurentpellegrino avatar Feb 15 '18 17:02 laurentpellegrino

@lpellegr thanks! I'll leave this open for a few days to see if anyone else has any comments or suggestions about this change.

doowb avatar Feb 15 '18 17:02 doowb

@doowb @lpellegr, any updates on this PR? Is there anything I can do to help get it merged?

shockey avatar Aug 03 '18 00:08 shockey

I'll merge this and try to get it published this weekend. I think some other things have been merged since the last published version so I might have to backport the changes if this should be a patch bump.

doowb avatar Aug 03 '18 01:08 doowb

I didn't forget about this. There are some things that need to be done with the repository before this can be merged.

doowb avatar Aug 07 '18 18:08 doowb

rel="noopener" is not supported in Edge, IE11 or older versions of Firefox. It would be better to use rel="noopener noreferrer", in order to solve this security issue for more browsers. See https://mathiasbynens.github.io/rel-noopener/

larsnystrom avatar Aug 09 '18 12:08 larsnystrom

Is there any update on this PR?

rankida avatar Nov 08 '18 10:11 rankida

FYI: since Remarkable doesn't support this, we've started using DomPurify to handle attaching noopener noreferrer to anchor links.

Here's the plugin we wrote: https://github.com/swagger-api/swagger-ui/blob/59bd9f4988007a0e561a62831f444787b84f6f2c/src/core/components/providers/markdown.jsx#L7-L16

If you're handling user generated Markdown, you should be sanitizing your output anyway! DomPurify is by far the best sanitization library that I've come across 😄

shockey avatar Nov 08 '18 16:11 shockey

@doowb any news?

laurentpellegrino avatar Dec 07 '18 13:12 laurentpellegrino

@doowb any news on this? 😸

richard-smartbear avatar Dec 24 '18 13:12 richard-smartbear