Skip to content

fix: add rel=noopener noreferrer to external links in Footer#608

Open
amathxbt wants to merge 1 commit intoinkonchain:mainfrom
amathxbt:fix/footer-noopener-noreferrer
Open

fix: add rel=noopener noreferrer to external links in Footer#608
amathxbt wants to merge 1 commit intoinkonchain:mainfrom
amathxbt:fix/footer-noopener-noreferrer

Conversation

@amathxbt
Copy link
Copy Markdown

@amathxbt amathxbt commented Apr 27, 2026

Bug

The Footer component renders two external links with target="_blank" but no rel attribute:

<a href="https://inkonchain.com/en-US/privacy" target="_blank">
  Privacy Notice
</a>
<a href="https://inkonchain.com/en-US/terms" target="_blank">
  Terms of Service
</a>

Opening a link with target="_blank" without rel="noopener" gives the opened page access to the opener via window.opener. This enables a reverse tabnapping attack where a malicious or compromised destination page can redirect the original tab to a phishing page.

Although modern browsers set rel="noopener" implicitly for cross-origin navigations since Chrome 88 / Firefox 79, the explicit attribute is still required for:

  • Older browser support
  • Passing security linters and CSP audits
  • ESLint rules (jsx-a11y/anchor-is-valid, react/jsx-no-target-blank)

Fix

Add rel="noopener noreferrer" to both links:

<a href="..." target="_blank" rel="noopener noreferrer">

noreferrer additionally prevents the Referer header from leaking the docs URL to the destination.

@amathxbt amathxbt requested a review from a team as a code owner April 27, 2026 15:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amathxbt