From 8a776f146182bc6870702cfeb87041e3af66b24b Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre.alapetite@alexandra.dk>
Date: Wed, 7 Sep 2016 14:35:51 +0200
Subject: Prevent a target _blank attacks with window.opener

https://mathiasbynens.github.io/rel-noopener/
noopener is implied by noreferrer
https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer
The API for window.open() does not seem stable yet
https://bugzilla.mozilla.org/show_bug.cgi?id=1267339
---
 p/scripts/main.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'p/scripts')

diff --git a/p/scripts/main.js b/p/scripts/main.js
index 8980fe2f6..74631451a 100644
--- a/p/scripts/main.js
+++ b/p/scripts/main.js
@@ -752,7 +752,7 @@ function init_stream(divStream) {
 	});
 
 	divStream.on('click', '.flux .content a', function () {
-		$(this).attr('target', '_blank');
+		$(this).attr('target', '_blank').attr('rel', 'noreferrer');
 	});
 
 	if (context.auto_mark_site) {
-- 
cgit v1.2.3