fix(#290): add noopener to download fallback#328
Conversation
|
@Shreya-nipunge is attempting to deploy a commit to the Dot_NotSam's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are limited based on label configuration. 🏷️ Required labels (at least one) (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Description
Adds
noopener,noreferrerto the landing page download fallback that opens the GitHub releases page in a new tab.Previously, the fallback used
window.open(..., "_blank")without opener protection, which could allow the newly opened page to retain access towindow.opener.Related Issue
Fixes #290
Changes Made
window.open()call inlanding/src/components/DownloadButton.tsx"noopener,noreferrer"as the third argumentSecurity Impact
Prevents the opened tab from accessing
window.opener, following recommended security practices for links opened in a new tab.Testing
landing/src/components/DownloadButton.tsxgit diff --checknoopener,noreferreris appliedNotes
npm.cmd run lint, but linting could not complete becauseeslintwas not installed/resolvable in the local landing environment.