From e1b5c1b15c62fa897784a3c143db879d68b8b459 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 19 May 2026 21:05:03 +0200
Subject: [PATCH] fix(transcription): add noreferrer to mention dropdown
 create-new link
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For issue #380 (Nora CWE-116). The "Neue Person anlegen" link opens in
a new tab and was missing `noreferrer` — the new tab could read
window.opener and the referrer leaked the transcription URL. Same-origin
risk is low but the omission was unintentional.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../lib/shared/discussion/MentionDropdown.svelte    |  2 +-
 .../discussion/MentionDropdown.svelte.spec.ts       | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/frontend/src/lib/shared/discussion/MentionDropdown.svelte b/frontend/src/lib/shared/discussion/MentionDropdown.svelte
index 5e6c2157..921d9e6f 100644
--- a/frontend/src/lib/shared/discussion/MentionDropdown.svelte
+++ b/frontend/src/lib/shared/discussion/MentionDropdown.svelte
@@ -188,7 +188,7 @@ function selectItem(item: Person) {
 		<a
 			href="/persons/new"
 			target="_blank"
-			rel="noopener"
+			rel="noopener noreferrer"
 			class="flex min-h-[44px] items-center gap-2 border-t border-line px-3 py-2.5 font-sans text-sm font-medium text-brand-navy hover:bg-canvas focus:bg-canvas focus:outline-none"
 			onmousedown={(e) => e.preventDefault()}
 		>
diff --git a/frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts b/frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts
index cf2205b8..71a7ad61 100644
--- a/frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts
+++ b/frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts
@@ -77,6 +77,19 @@ describe('MentionDropdown — search input', () => {
 		await expect.element(page.getByText(m.person_mention_search_prompt())).not.toBeInTheDocument();
 	});
 
+	it('"create new person" link has rel="noopener noreferrer" (CWE-116)', async () => {
+		render(MentionDropdown, {
+			model: makeModel([]),
+			editorQuery: 'unknown', // non-empty so the empty-state link renders
+			onSearch: () => {}
+		});
+
+		const link = document.querySelector('a[href="/persons/new"]') as HTMLAnchorElement;
+		expect(link).not.toBeNull();
+		expect(link.getAttribute('rel')).toContain('noopener');
+		expect(link.getAttribute('rel')).toContain('noreferrer');
+	});
+
 	it('search input wrapper meets the 44px touch target (WCAG 2.2 AA)', async () => {
 		render(MentionDropdown, {
 			model: makeModel(),