Skip to content

[Security] Add rel="noopener noreferrer" to all external links with target="_blank" #726

Description

@Pranav-IIITM

Description

Throughout the Harbor website, external links are set to open in new tabs using target="_blank" but are missing the rel="noopener noreferrer" attribute. This is a well-known security vulnerability that allows the newly opened tab to access and potentially manipulate the original tab via the window.opener object. It also causes minor performance degradation in some browsers.

Affected Files

  • layouts/partials/navbar.html
  • layouts/partials/footer.html
  • layouts/partials/home/hero.html
  • layouts/partials/social-buttons.html

Current Behavior

External links such as GitHub releases, Twitter, and Linux Foundation links are using target="_blank" without the rel attribute:

<!-- Current (vulnerable) -->
<a href="https://example.com" target="_blank">Link</a>

Expected Behavior

All external links with target="_blank" should include rel="noopener noreferrer":

<!-- Fixed (secure) -->
<a href="https://example.com" target="_blank" rel="noopener noreferrer">Link</a>

Why It Matters

  • Security — Without rel="noopener", the newly opened tab can access window.opener and potentially redirect the original page to a malicious URL (reverse tabnapping attack)
  • Privacynoreferrer prevents the browser from sending the Referer header, avoiding leaking the origin page URL to external sites
  • Performancenoopener prevents the new tab from running in the same process as the original page, improving performance in some browsers

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions