Prevent window opener vulnerability with space shortcut (#2506)

* Prevent window opener vulnerability with space shortcut This change fixes a vulnerability introduced by `window.open()` on untrusted sources. It reproduces the effect of `rel="noreferrer"` with JS. Cross browser solution from: https://stackoverflow.com/a/40593743 ## Reproduction > tested with Firefox 68 1. Add this RSS feed 2. Open the 2nd link "À propos de la faille de sécurité liée à target="_blank" **using the space key shortcut**. 3. Click on the first of three links "http://bookmarks.ecyseo.net" Current behaviour: the FreshRSS tab changes. Expected behaviour: no effect on FreshRSS * Test for popup blockers
author: ArthurHoaro <arthur@hoa.ro> 2019-08-21 21:14:22 +0200
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2019-08-21 21:14:22 +0200
commit: 3f8804f54f8426961a31287fb8e9a3d8f8f84b4d (patch)
tree: 1fef3d139b0a6345d5353dc6379b17f9f5b81a71 /p/scripts
parent: 0ec7f53153395b788ba30bedfe3e9ab98684385e (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/p/scripts/main.js b/p/scripts/main.js
index 4fd91235e..3f964e70e 100644
--- a/p/scripts/main.js
+++ b/p/scripts/main.js
@@ -803,7 +803,11 @@ function init_shortcuts() {
 				if (context.auto_mark_site) {
 					mark_read(document.querySelector('.flux.current'), true, false);
 				}
-				window.open(document.querySelector('.flux.current a.go_website').href);
+				const newWindow = window.open();
+				if (newWindow) {
+					newWindow.opener = null;
+					newWindow.location = document.querySelector('.flux.current a.go_website').href;
+				}
 				return false;
 			}
 			if (k === s.skip_next_entry) { next_entry(true); return false; }
author	ArthurHoaro <arthur@hoa.ro>	2019-08-21 21:14:22 +0200
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2019-08-21 21:14:22 +0200
commit	3f8804f54f8426961a31287fb8e9a3d8f8f84b4d (patch)
tree	1fef3d139b0a6345d5353dc6379b17f9f5b81a71 /p/scripts
parent	0ec7f53153395b788ba30bedfe3e9ab98684385e (diff)