fix(document): add rel=noopener noreferrer to viewer download link (CWE-1022)

The error-state download link opened with target="_blank" but no rel, exposing the opener to reverse tabnavbabbing. Add rel="noopener noreferrer". Same-origin so low severity, but a one-token fix in a file this issue already touches. Refs #708 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-01 20:13:45 +02:00
parent c361b3cd45
commit 817835fd6a
2 changed files with 15 additions and 0 deletions
--- a/frontend/src/lib/document/DocumentViewer.svelte
+++ b/frontend/src/lib/document/DocumentViewer.svelte
@@ -72,6 +72,7 @@ let {
 				<a
 					href="/api/documents/{doc.id}/file"
 					target="_blank"
+					rel="noopener noreferrer"
 					class="text-sm underline hover:text-white"
 				>
 					{m.doc_download_link()}
--- a/frontend/src/lib/document/DocumentViewer.svelte.test.ts
+++ b/frontend/src/lib/document/DocumentViewer.svelte.test.ts
@@ -46,6 +46,20 @@ describe('DocumentViewer', () => {
 			.toHaveAttribute('href', '/api/documents/d1/file');
 	});

+	it('hardens the target=_blank download link with rel=noopener noreferrer (CWE-1022)', async () => {
+		render(DocumentViewer, {
+			props: {
+				...baseProps,
+				doc: { ...baseProps.doc, filePath: 'docs/scan.pdf' },
+				error: 'Render failed'
+			}
+		});
+
+		await expect
+			.element(page.getByRole('link', { name: /direkter download/i }))
+			.toHaveAttribute('rel', 'noopener noreferrer');
+	});
+
 	it('omits the direct-download link in the error state when filePath is null', async () => {
 		render(DocumentViewer, { props: { ...baseProps, error: 'Render failed' } });