[Security] Missing rel=noreferrer and rel=noopener in links
Mickael-van-der-Beek opened this issue · comments
When a user sends a message containing a URL, Darkwire transforms the URL into an HTML anchor tag with an href link to the URL in question using the Autolinker module.
This creates two important security vulnerabilities.
- Missing rel=noreferrer
When a user clicks on a link sent by another user in the same chat room, the request made by the browser to fetch the resource referenced by the URL will contain a Referrer
header who's value will be the chatroom's full URL.
This creates an issue where any website administrator to which a Darkwire user browsed to can just look up the Darkwire chatroom URL in the Referrer
header of his server logs.
- Missing rel=noopener
Since anchor tags create by Autolinker contain a target=_blank
attribute, users clicking on this link will be vulnerable to tab-jacking attacks.
More details can be found in this blog post: https://mathiasbynens.github.io/rel-noopener/
Fixed in v1.5.8