fix(document): add rel=noopener noreferrer to viewer download link (CWE-1022)

The error-state download link opened with target="_blank" but no rel,
exposing the opener to reverse tabnavbabbing. Add rel="noopener
noreferrer". Same-origin so low severity, but a one-token fix in a file
this issue already touches.

Refs #708

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

frontend/src/lib/document/DocumentViewer.svelte

@@ -72,6 +72,7 @@ let {
 				<a
 					href="/api/documents/{doc.id}/file"
 					target="_blank"
+					rel="noopener noreferrer"
 					class="text-sm underline hover:text-white"
 				>
 					{m.doc_download_link()}

frontend/src/lib/document/DocumentViewer.svelte.test.ts

@@ -46,6 +46,20 @@ describe('DocumentViewer', () => {
 			.toHaveAttribute('href', '/api/documents/d1/file');
 	});
 
+	it('hardens the target=_blank download link with rel=noopener noreferrer (CWE-1022)', async () => {
+		render(DocumentViewer, {
+			props: {
+				...baseProps,
+				doc: { ...baseProps.doc, filePath: 'docs/scan.pdf' },
+				error: 'Render failed'
+			}
+		});
+
+		await expect
+			.element(page.getByRole('link', { name: /direkter download/i }))
+			.toHaveAttribute('rel', 'noopener noreferrer');
+	});
+
 	it('omits the direct-download link in the error state when filePath is null', async () => {
 		render(DocumentViewer, { props: { ...baseProps, error: 'Render failed' } });