Action.OpenUrl with a top-level browsing context

sch · sch · commit 6de67c8a50cf · 2023-06-28T16:58:10.000-04:00
While HTML links [launch without an opener reference][spec], [`window.open`][vulnerability] provides a reference to the parent page through an auxiliary browsing context. Given untrusted URL input, this can lead to tabnabbing and phishing attacks. This change uses the [noopener] and [noreferrer] [window features] for the default link handler in the React renderer. [spec]: whatwg/html#4078 [vulnerability]: https://mathiasbynens.github.io/rel-noopener/ [window features]: https://developer.mozilla.org/en-US/docs/Web/API/Window/open#windowfeatures [noopener]: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noopener [noreferrer]: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noreferrer
diff --git a/source/nodejs/adaptivecards-react/src/adaptive-card.tsx b/source/nodejs/adaptivecards-react/src/adaptive-card.tsx
@@ -43,7 +43,7 @@ const propTypes = {
 };
 
 const defaultOpenUrlHandler = (action: AdaptiveCards.OpenUrlAction) => {
-    window.open(action.url, '_blank');
+    window.open(action.url, '_blank', 'noopener,noreferrer');
 };
 
 const setUpMarkdownIt = () => {
