Description
Throughout the Harbor website, external links are set to open in new tabs using target="_blank" but are missing the rel="noopener noreferrer" attribute. This is a well-known security vulnerability that allows the newly opened tab to access and potentially manipulate the original tab via the window.opener object. It also causes minor performance degradation in some browsers.
Affected Files
layouts/partials/navbar.html
layouts/partials/footer.html
layouts/partials/home/hero.html
layouts/partials/social-buttons.html
Current Behavior
External links such as GitHub releases, Twitter, and Linux Foundation links are using target="_blank" without the rel attribute:
<!-- Current (vulnerable) -->
<a href="https://example.com" target="_blank">Link</a>
Expected Behavior
All external links with target="_blank" should include rel="noopener noreferrer":
<!-- Fixed (secure) -->
<a href="https://example.com" target="_blank" rel="noopener noreferrer">Link</a>
Why It Matters
- Security — Without
rel="noopener", the newly opened tab can access window.opener and potentially redirect the original page to a malicious URL (reverse tabnapping attack)
- Privacy —
noreferrer prevents the browser from sending the Referer header, avoiding leaking the origin page URL to external sites
- Performance —
noopener prevents the new tab from running in the same process as the original page, improving performance in some browsers
References
Description
Throughout the Harbor website, external links are set to open in new tabs using
target="_blank"but are missing therel="noopener noreferrer"attribute. This is a well-known security vulnerability that allows the newly opened tab to access and potentially manipulate the original tab via thewindow.openerobject. It also causes minor performance degradation in some browsers.Affected Files
layouts/partials/navbar.htmllayouts/partials/footer.htmllayouts/partials/home/hero.htmllayouts/partials/social-buttons.htmlCurrent Behavior
External links such as GitHub releases, Twitter, and Linux Foundation links are using
target="_blank"without therelattribute:Expected Behavior
All external links with
target="_blank"should includerel="noopener noreferrer":Why It Matters
rel="noopener", the newly opened tab can accesswindow.openerand potentially redirect the original page to a malicious URL (reverse tabnapping attack)noreferrerprevents the browser from sending theRefererheader, avoiding leaking the origin page URL to external sitesnoopenerprevents the new tab from running in the same process as the original page, improving performance in some browsersReferences