marcel/familienarchiv
1
0
Fork 0
Code Issues 119 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

chore(frontend): enforce rel=noopener on target=_blank via eslint (CWE-1022)

Browse Source 
Enable svelte/no-target-blank so reverse-tabnabbing is caught at lint
time instead of relying on review (the very gap that left the viewer
download link exposed). Repo is already clean — all existing
target="_blank" anchors carry rel="noopener noreferrer".

Addresses re-review: Nora (optional detection-for-free).

Refs #708

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-06-01 21:13:47 +02:00
parent e16b7402bd
commit 8eb321ccea
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
frontend/eslint.config.js
View File

@@ -77,7 +77,11 @@ export default defineConfig(
// defense (the CI regex stays as a backstop). For any legitimate use (e.g.
// trusted server-rendered Markdown), suppress with an inline
// `<!-- eslint-disable-next-line svelte/no-at-html-tags -->` and a justification.
'svelte/no-at-html-tags': 'error'
'svelte/no-at-html-tags': 'error',
// Reverse-tabnabbing (CWE-1022): any `target="_blank"` anchor must carry
// `rel="noopener noreferrer"`, or the opened page can hijack window.opener.
// Catches the pattern at lint time instead of relying on review. See #708.
'svelte/no-target-blank': ['error', { allowReferrer: false, enforceDynamicLinks: 'always' }]
}
},
{