From 8eb321cceacf0eaf32e38ea641f45e0ac33694be Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 1 Jun 2026 21:13:47 +0200
Subject: [PATCH] chore(frontend): enforce rel=noopener on target=_blank via
 eslint (CWE-1022)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Enable svelte/no-target-blank so reverse-tabnabbing is caught at lint
time instead of relying on review (the very gap that left the viewer
download link exposed). Repo is already clean — all existing
target="_blank" anchors carry rel="noopener noreferrer".

Addresses re-review: Nora (optional detection-for-free).

Refs #708

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 frontend/eslint.config.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/frontend/eslint.config.js b/frontend/eslint.config.js
index 79384407..4488ca79 100644
--- a/frontend/eslint.config.js
+++ b/frontend/eslint.config.js
@@ -77,7 +77,11 @@ export default defineConfig(
 			// defense (the CI regex stays as a backstop). For any legitimate use (e.g.
 			// trusted server-rendered Markdown), suppress with an inline
 			// `<!-- eslint-disable-next-line svelte/no-at-html-tags -->` and a justification.
-			'svelte/no-at-html-tags': 'error'
+			'svelte/no-at-html-tags': 'error',
+			// Reverse-tabnabbing (CWE-1022): any `target="_blank"` anchor must carry
+			// `rel="noopener noreferrer"`, or the opened page can hijack window.opener.
+			// Catches the pattern at lint time instead of relying on review. See #708.
+			'svelte/no-target-blank': ['error', { allowReferrer: false, enforceDynamicLinks: 'always' }]
 		}
 	},
 	{