Merge pull request #17337 from brave/fix/28700

use noreferrer for window.open with external URLs
brave · Feb 26, 2023 · 97576bf · 97576bf
2 parents 0dbdda3 + 824f316
commit 97576bf
Show file tree

Hide file tree

Showing 15 changed files with 20 additions and 19 deletions.
diff --git a/browser/resources/settings/brave_appearance_page/super_referral.ts b/browser/resources/settings/brave_appearance_page/super_referral.ts
@@ -83,7 +83,8 @@ export class SettingsBraveAppearanceSuperReferralElement extends
    * Open URL for either current theme or the theme gallery.
    */
   private openThemeUrl_() {
-    window.open(this.themeUrl_ || loadTimeData.getString('themesGalleryUrl'));
+    window.open(this.themeUrl_ || loadTimeData.getString('themesGalleryUrl'),
+      undefined, 'noreferrer');
   }
 
   private onUseDefaultTap_() {

diff --git a/browser/resources/settings/brave_default_extensions_page/brave_default_extensions_page.ts b/browser/resources/settings/brave_default_extensions_page/brave_default_extensions_page.ts
@@ -108,7 +108,7 @@ export class SettingBraveDefaultExtensionsPageElement extends SettingBraveDefaul
   }
 
   openWebStoreUrl_() {
-    window.open(loadTimeData.getString('getMoreExtensionsUrl'))
+    window.open(loadTimeData.getString('getMoreExtensionsUrl'), undefined, 'noreferrer')
   }
 
   shouldShowRestartForGoogleLogin_(value: boolean) {

diff --git a/components/brave_new_tab_ui/async/today.ts b/components/brave_new_tab_ui/async/today.ts
@@ -111,7 +111,7 @@ handler.on<Actions.ReadFeedItemPayload>(
       // visit article url
       window.location.href = data.url.url
     } else {
-      window.open(data.url.url, '_blank')
+      window.open(data.url.url, '_blank', 'noreferrer')
     }
   }
 )
@@ -223,7 +223,7 @@ handler.on<Actions.VisitDisplayAdPayload>(
       // visit article url
       window.location.href = destinationUrl
     } else {
-      window.open(destinationUrl, '_blank')
+      window.open(destinationUrl, '_blank', 'noreferrer')
     }
   }
 )

diff --git a/...onents/brave_new_tab_ui/components/default/braveNews/cards/_articles/cardArticleLarge.tsx b/...onents/brave_new_tab_ui/components/default/braveNews/cards/_articles/cardArticleLarge.tsx
@@ -39,7 +39,7 @@ const promotedInfoUrl = 'https://brave.com/brave-today'
 function onClickPromoted (e: React.MouseEvent) {
   const openInNewTab = e.ctrlKey || e.metaKey
   if (openInNewTab) {
-    document.open(promotedInfoUrl, '__blank')
+    document.open(promotedInfoUrl, '__blank', 'noreferrer')
   } else {
     window.location.href = promotedInfoUrl
   }

diff --git a/components/brave_rewards/resources/page/brave_rewards_page.tsx b/components/brave_rewards/resources/page/brave_rewards_page.tsx
@@ -247,7 +247,7 @@ function enabledInlineTippingPlatforms (list: string[]) {
 }
 
 function externalWalletLogin (url: string) {
-  window.open(url, '_self')
+  window.open(url, '_self', 'noreferrer')
 }
 
 function onPrefChanged (key: string) {

diff --git a/components/brave_rewards/resources/page/components/pageWallet.tsx b/components/brave_rewards/resources/page/components/pageWallet.tsx
@@ -158,7 +158,7 @@ class PageWallet extends React.Component<Props, State> {
     }
 
     if (externalWallet.loginUrl) {
-      window.open(externalWallet.loginUrl, '_self')
+      window.open(externalWallet.loginUrl, '_self', 'noreferrer')
     }
   }
 
@@ -208,7 +208,7 @@ class PageWallet extends React.Component<Props, State> {
       return
     }
 
-    window.open(externalWallet.accountUrl, '_self')
+    window.open(externalWallet.accountUrl, '_self', 'noreferrer')
   }
 
   getBalanceToken = (key: string) => {

diff --git a/components/brave_rewards/resources/page/components/provider_redirect_modal.tsx b/components/brave_rewards/resources/page/components/provider_redirect_modal.tsx
@@ -24,7 +24,7 @@ export function ProviderRedirectModal () {
   const onRedirectError = () => {
     actions.hideRedirectModal()
     if (externalWallet && externalWallet.loginUrl) {
-      window.open(externalWallet.loginUrl, '_self')
+      window.open(externalWallet.loginUrl, '_self', 'noreferrer')
     }
   }
 

diff --git a/components/brave_rewards/resources/page/components/sidebar_promotion_panel.tsx b/components/brave_rewards/resources/page/components/sidebar_promotion_panel.tsx
@@ -112,7 +112,7 @@ export function SidebarPromotionPanel (props: Props) {
           }
 
           const visitPromotionURL = () => {
-            window.open(getPromotionURL(key), '_blank')
+            window.open(getPromotionURL(key), '_blank', 'noreferrer')
           }
 
           const onDismiss = () => {

diff --git a/components/brave_rewards/resources/shared/components/newtab/rewards_card.tsx b/components/brave_rewards/resources/shared/components/newtab/rewards_card.tsx
@@ -124,7 +124,7 @@ export function RewardsCard (props: Props) {
     if (externalWallet && externalWallet.status === mojom.WalletStatus.kLoggedOut) {
       const onClick = () => {
         if (externalWallet.links.reconnect) {
-          window.open(externalWallet.links.reconnect, '_blank')
+          window.open(externalWallet.links.reconnect, '_blank', 'noreferrer')
         }
       }
       return (
@@ -286,7 +286,7 @@ export function RewardsCard (props: Props) {
   }
 
   function renderVBATNotice () {
-    const onConnect = () => { window.open(urls.connectURL, '_blank') }
+    const onConnect = () => { window.open(urls.connectURL, '_blank', 'noreferrer') }
     const onClose = () => { setHideVBATNotice(true) }
     return (
       <style.root>
@@ -305,7 +305,7 @@ export function RewardsCard (props: Props) {
   }
 
   function renderLimited () {
-    const onConnect = () => { window.open(urls.connectURL, '_blank') }
+    const onConnect = () => { window.open(urls.connectURL, '_blank', 'noreferrer') }
 
     return (
       <style.root>

diff --git a/components/brave_rewards/resources/tip/components/limited_tip_form.tsx b/components/brave_rewards/resources/tip/components/limited_tip_form.tsx
@@ -38,7 +38,7 @@ export function LimitedTipForm () {
   }, [host])
 
   function onConnectAccount () {
-    window.open(urls.connectURL, '_blank')
+    window.open(urls.connectURL, '_blank', 'noreferrer')
     host.closeDialog()
   }
 

diff --git a/components/brave_wallet_ui/components/extension/sign-panel/sign-transaction-panel.tsx b/components/brave_wallet_ui/components/extension/sign-panel/sign-transaction-panel.tsx
@@ -70,7 +70,7 @@ enum SignDataSteps {
 }
 
 const onClickLearnMore = () => {
-  window.open('https://support.brave.com/hc/en-us/articles/4409513799693', '_blank')
+  window.open('https://support.brave.com/hc/en-us/articles/4409513799693', '_blank', 'noreferrer')
 }
 
 export const SignTransactionPanel = ({ signMode }: Props) => {

diff --git a/components/brave_wallet_ui/components/shared/app-list-item/index.tsx b/components/brave_wallet_ui/components/shared/app-list-item/index.tsx
@@ -30,7 +30,7 @@ export default class AppListItem extends React.PureComponent<Props> {
   }
 
   openApp = () => {
-    window.open(this.props.appInfo.url, '_blank')
+    window.open(this.props.appInfo.url, '_blank', 'noreferrer')
   }
 
   render () {

diff --git a/components/brave_wallet_ui/stories/wallet-extension-panels.tsx b/components/brave_wallet_ui/stories/wallet-extension-panels.tsx
@@ -820,7 +820,7 @@ export const _ConnectHardwareWallet = () => {
 
   const onClickInstructions = () => {
     // Open support link in new tab
-    window.open('https://support.brave.com/hc/en-us/articles/4409309138701', '_blank')
+    window.open('https://support.brave.com/hc/en-us/articles/4409309138701', '_blank', 'noreferrer')
   }
 
   return (

diff --git a/components/ipfs_ui/reducers/ipfs_reducer.ts b/components/ipfs_ui/reducers/ipfs_reducer.ts
@@ -21,7 +21,7 @@ const openURlInNewTab = (target: string, api: string) => {
     return
   }
   const port = api.slice(api.lastIndexOf('/') + 1, api.length)
-  window.open(target.replace('{api-port}', port), '_blank')
+  window.open(target.replace('{api-port}', port), '_blank', 'noreferrer')
 }
 
 const ipfsReducer: Reducer<IPFS.State | undefined> = (state: IPFS.State | undefined, action) => {

diff --git a/patches/chrome-browser-resources-bookmarks-command_manager.ts.patch b/patches/chrome-browser-resources-bookmarks-command_manager.ts.patch
@@ -7,7 +7,7 @@ index 535868582e8722686eca28c6cb12b0e6a5711329..49c956ff41134a97cca61a9a5b1e51ea
          break;
        case Command.HELP_CENTER:
 -        window.open('https://support.google.com/chrome/?p=bookmarks');
-+        window.open('https://community.brave.com');
++        window.open('https://community.brave.com', undefined, 'noreferrer');
          break;
        default:
          assertNotReached();