From 824f3161eba05393ca9524cdd3b94ea5c520c8d1 Mon Sep 17 00:00:00 2001 From: yan Date: Wed, 22 Feb 2023 14:48:31 -0800 Subject: [PATCH] use noreferrer for window.open with external URLs fix https://github.com/brave/brave-browser/issues/28700 --- .../settings/brave_appearance_page/super_referral.ts | 3 ++- .../brave_default_extensions_page.ts | 2 +- components/brave_new_tab_ui/async/today.ts | 4 ++-- .../default/braveNews/cards/_articles/cardArticleLarge.tsx | 2 +- .../brave_rewards/resources/page/brave_rewards_page.tsx | 2 +- .../brave_rewards/resources/page/components/pageWallet.tsx | 4 ++-- .../resources/page/components/provider_redirect_modal.tsx | 2 +- .../resources/page/components/sidebar_promotion_panel.tsx | 2 +- .../resources/shared/components/newtab/rewards_card.tsx | 6 +++--- .../resources/tip/components/limited_tip_form.tsx | 2 +- .../extension/sign-panel/sign-transaction-panel.tsx | 2 +- .../components/shared/app-list-item/index.tsx | 2 +- .../brave_wallet_ui/stories/wallet-extension-panels.tsx | 2 +- components/ipfs_ui/reducers/ipfs_reducer.ts | 2 +- ...ome-browser-resources-bookmarks-command_manager.ts.patch | 2 +- 15 files changed, 20 insertions(+), 19 deletions(-) diff --git a/browser/resources/settings/brave_appearance_page/super_referral.ts b/browser/resources/settings/brave_appearance_page/super_referral.ts index 914a5b7365e4..b618409b2cd4 100644 --- a/browser/resources/settings/brave_appearance_page/super_referral.ts +++ b/browser/resources/settings/brave_appearance_page/super_referral.ts @@ -83,7 +83,8 @@ export class SettingsBraveAppearanceSuperReferralElement extends * Open URL for either current theme or the theme gallery. */ private openThemeUrl_() { - window.open(this.themeUrl_ || loadTimeData.getString('themesGalleryUrl')); + window.open(this.themeUrl_ || loadTimeData.getString('themesGalleryUrl'), + undefined, 'noreferrer'); } private onUseDefaultTap_() { diff --git a/browser/resources/settings/brave_default_extensions_page/brave_default_extensions_page.ts b/browser/resources/settings/brave_default_extensions_page/brave_default_extensions_page.ts index a0833599d9f7..83a30f058f12 100644 --- a/browser/resources/settings/brave_default_extensions_page/brave_default_extensions_page.ts +++ b/browser/resources/settings/brave_default_extensions_page/brave_default_extensions_page.ts @@ -108,7 +108,7 @@ export class SettingBraveDefaultExtensionsPageElement extends SettingBraveDefaul } openWebStoreUrl_() { - window.open(loadTimeData.getString('getMoreExtensionsUrl')) + window.open(loadTimeData.getString('getMoreExtensionsUrl'), undefined, 'noreferrer') } shouldShowRestartForGoogleLogin_(value: boolean) { diff --git a/components/brave_new_tab_ui/async/today.ts b/components/brave_new_tab_ui/async/today.ts index b5f22237b00a..16beb051f259 100644 --- a/components/brave_new_tab_ui/async/today.ts +++ b/components/brave_new_tab_ui/async/today.ts @@ -111,7 +111,7 @@ handler.on( // visit article url window.location.href = data.url.url } else { - window.open(data.url.url, '_blank') + window.open(data.url.url, '_blank', 'noreferrer') } } ) @@ -223,7 +223,7 @@ handler.on( // visit article url window.location.href = destinationUrl } else { - window.open(destinationUrl, '_blank') + window.open(destinationUrl, '_blank', 'noreferrer') } } ) diff --git a/components/brave_new_tab_ui/components/default/braveNews/cards/_articles/cardArticleLarge.tsx b/components/brave_new_tab_ui/components/default/braveNews/cards/_articles/cardArticleLarge.tsx index a179069c69a7..4aa10f28b549 100644 --- a/components/brave_new_tab_ui/components/default/braveNews/cards/_articles/cardArticleLarge.tsx +++ b/components/brave_new_tab_ui/components/default/braveNews/cards/_articles/cardArticleLarge.tsx @@ -39,7 +39,7 @@ const promotedInfoUrl = 'https://brave.com/brave-today' function onClickPromoted (e: React.MouseEvent) { const openInNewTab = e.ctrlKey || e.metaKey if (openInNewTab) { - document.open(promotedInfoUrl, '__blank') + document.open(promotedInfoUrl, '__blank', 'noreferrer') } else { window.location.href = promotedInfoUrl } diff --git a/components/brave_rewards/resources/page/brave_rewards_page.tsx b/components/brave_rewards/resources/page/brave_rewards_page.tsx index efa21b81ae79..674247546afc 100644 --- a/components/brave_rewards/resources/page/brave_rewards_page.tsx +++ b/components/brave_rewards/resources/page/brave_rewards_page.tsx @@ -247,7 +247,7 @@ function enabledInlineTippingPlatforms (list: string[]) { } function externalWalletLogin (url: string) { - window.open(url, '_self') + window.open(url, '_self', 'noreferrer') } function onPrefChanged (key: string) { diff --git a/components/brave_rewards/resources/page/components/pageWallet.tsx b/components/brave_rewards/resources/page/components/pageWallet.tsx index 40a038808592..6b7bd97ff3d8 100644 --- a/components/brave_rewards/resources/page/components/pageWallet.tsx +++ b/components/brave_rewards/resources/page/components/pageWallet.tsx @@ -158,7 +158,7 @@ class PageWallet extends React.Component { } if (externalWallet.loginUrl) { - window.open(externalWallet.loginUrl, '_self') + window.open(externalWallet.loginUrl, '_self', 'noreferrer') } } @@ -208,7 +208,7 @@ class PageWallet extends React.Component { return } - window.open(externalWallet.accountUrl, '_self') + window.open(externalWallet.accountUrl, '_self', 'noreferrer') } getBalanceToken = (key: string) => { diff --git a/components/brave_rewards/resources/page/components/provider_redirect_modal.tsx b/components/brave_rewards/resources/page/components/provider_redirect_modal.tsx index 1a46df653cf7..ca041640e079 100644 --- a/components/brave_rewards/resources/page/components/provider_redirect_modal.tsx +++ b/components/brave_rewards/resources/page/components/provider_redirect_modal.tsx @@ -24,7 +24,7 @@ export function ProviderRedirectModal () { const onRedirectError = () => { actions.hideRedirectModal() if (externalWallet && externalWallet.loginUrl) { - window.open(externalWallet.loginUrl, '_self') + window.open(externalWallet.loginUrl, '_self', 'noreferrer') } } diff --git a/components/brave_rewards/resources/page/components/sidebar_promotion_panel.tsx b/components/brave_rewards/resources/page/components/sidebar_promotion_panel.tsx index c166094a1ffe..0e64d27c129f 100644 --- a/components/brave_rewards/resources/page/components/sidebar_promotion_panel.tsx +++ b/components/brave_rewards/resources/page/components/sidebar_promotion_panel.tsx @@ -112,7 +112,7 @@ export function SidebarPromotionPanel (props: Props) { } const visitPromotionURL = () => { - window.open(getPromotionURL(key), '_blank') + window.open(getPromotionURL(key), '_blank', 'noreferrer') } const onDismiss = () => { diff --git a/components/brave_rewards/resources/shared/components/newtab/rewards_card.tsx b/components/brave_rewards/resources/shared/components/newtab/rewards_card.tsx index 371f094d1b70..518ea5ffc071 100644 --- a/components/brave_rewards/resources/shared/components/newtab/rewards_card.tsx +++ b/components/brave_rewards/resources/shared/components/newtab/rewards_card.tsx @@ -124,7 +124,7 @@ export function RewardsCard (props: Props) { if (externalWallet && externalWallet.status === mojom.WalletStatus.kLoggedOut) { const onClick = () => { if (externalWallet.links.reconnect) { - window.open(externalWallet.links.reconnect, '_blank') + window.open(externalWallet.links.reconnect, '_blank', 'noreferrer') } } return ( @@ -286,7 +286,7 @@ export function RewardsCard (props: Props) { } function renderVBATNotice () { - const onConnect = () => { window.open(urls.connectURL, '_blank') } + const onConnect = () => { window.open(urls.connectURL, '_blank', 'noreferrer') } const onClose = () => { setHideVBATNotice(true) } return ( @@ -305,7 +305,7 @@ export function RewardsCard (props: Props) { } function renderLimited () { - const onConnect = () => { window.open(urls.connectURL, '_blank') } + const onConnect = () => { window.open(urls.connectURL, '_blank', 'noreferrer') } return ( diff --git a/components/brave_rewards/resources/tip/components/limited_tip_form.tsx b/components/brave_rewards/resources/tip/components/limited_tip_form.tsx index 37faa060e0f3..4d2f236574ae 100644 --- a/components/brave_rewards/resources/tip/components/limited_tip_form.tsx +++ b/components/brave_rewards/resources/tip/components/limited_tip_form.tsx @@ -38,7 +38,7 @@ export function LimitedTipForm () { }, [host]) function onConnectAccount () { - window.open(urls.connectURL, '_blank') + window.open(urls.connectURL, '_blank', 'noreferrer') host.closeDialog() } diff --git a/components/brave_wallet_ui/components/extension/sign-panel/sign-transaction-panel.tsx b/components/brave_wallet_ui/components/extension/sign-panel/sign-transaction-panel.tsx index 80fdc6cb192b..12d187dffd1a 100644 --- a/components/brave_wallet_ui/components/extension/sign-panel/sign-transaction-panel.tsx +++ b/components/brave_wallet_ui/components/extension/sign-panel/sign-transaction-panel.tsx @@ -70,7 +70,7 @@ enum SignDataSteps { } const onClickLearnMore = () => { - window.open('https://support.brave.com/hc/en-us/articles/4409513799693', '_blank') + window.open('https://support.brave.com/hc/en-us/articles/4409513799693', '_blank', 'noreferrer') } export const SignTransactionPanel = ({ signMode }: Props) => { diff --git a/components/brave_wallet_ui/components/shared/app-list-item/index.tsx b/components/brave_wallet_ui/components/shared/app-list-item/index.tsx index 6e16ad3b8019..a7ed6a8405ed 100644 --- a/components/brave_wallet_ui/components/shared/app-list-item/index.tsx +++ b/components/brave_wallet_ui/components/shared/app-list-item/index.tsx @@ -30,7 +30,7 @@ export default class AppListItem extends React.PureComponent { } openApp = () => { - window.open(this.props.appInfo.url, '_blank') + window.open(this.props.appInfo.url, '_blank', 'noreferrer') } render () { diff --git a/components/brave_wallet_ui/stories/wallet-extension-panels.tsx b/components/brave_wallet_ui/stories/wallet-extension-panels.tsx index b51130fb3414..a95a0daf17ea 100644 --- a/components/brave_wallet_ui/stories/wallet-extension-panels.tsx +++ b/components/brave_wallet_ui/stories/wallet-extension-panels.tsx @@ -820,7 +820,7 @@ export const _ConnectHardwareWallet = () => { const onClickInstructions = () => { // Open support link in new tab - window.open('https://support.brave.com/hc/en-us/articles/4409309138701', '_blank') + window.open('https://support.brave.com/hc/en-us/articles/4409309138701', '_blank', 'noreferrer') } return ( diff --git a/components/ipfs_ui/reducers/ipfs_reducer.ts b/components/ipfs_ui/reducers/ipfs_reducer.ts index 046cf4c872be..dcc0ffd02bfd 100644 --- a/components/ipfs_ui/reducers/ipfs_reducer.ts +++ b/components/ipfs_ui/reducers/ipfs_reducer.ts @@ -21,7 +21,7 @@ const openURlInNewTab = (target: string, api: string) => { return } const port = api.slice(api.lastIndexOf('/') + 1, api.length) - window.open(target.replace('{api-port}', port), '_blank') + window.open(target.replace('{api-port}', port), '_blank', 'noreferrer') } const ipfsReducer: Reducer = (state: IPFS.State | undefined, action) => { diff --git a/patches/chrome-browser-resources-bookmarks-command_manager.ts.patch b/patches/chrome-browser-resources-bookmarks-command_manager.ts.patch index 74fcc0bc8baa..684aa7c2ee91 100644 --- a/patches/chrome-browser-resources-bookmarks-command_manager.ts.patch +++ b/patches/chrome-browser-resources-bookmarks-command_manager.ts.patch @@ -7,7 +7,7 @@ index 535868582e8722686eca28c6cb12b0e6a5711329..49c956ff41134a97cca61a9a5b1e51ea break; case Command.HELP_CENTER: - window.open('https://support.google.com/chrome/?p=bookmarks'); -+ window.open('https://community.brave.com'); ++ window.open('https://community.brave.com', undefined, 'noreferrer'); break; default: assertNotReached();