fix: do not leak referrer when clicking Sourcegraph extension links

Stephen Gutekanst · Stephen Gutekanst · commit 2836554b2d8c · 2018-10-26T13:20:48.000-07:00
Prior to this change clicking a link provided by a Sourcegraph extension would leak referrer information. We apply the same `rel` attribute in Sourcegraph to prevent this: https://sourcegraph.com/github.com/sourcegraph/sourcegraph@4ac84723437a325405bf073a99f45fae1be9ec43/-/blob/src/repo/blob/LineDecorationAttachment.tsx#L52:17 Now we also prevent it here in the browser extension. Fixes sourcegraph/sourcegraph-extension-api#106
diff --git a/src/libs/code_intelligence/extensions.tsx b/src/libs/code_intelligence/extensions.tsx
@@ -179,7 +179,10 @@ export const applyDecoration = (
 
             // External URLs should open in a new tab, whereas relative URLs
             // should not.
-            link.setAttribute('target', /^https?:\/\//.test(url) ? '_blank' : undefined)
+            link.setAttribute('target', /^https?:\/\//.test(url) ? '_blank' : '')
+
+            // Avoid leaking referrer URLs (which contain repository and path names, etc.) to external sites.
+            link.setAttribute('rel', 'noreferrer noopener')
 
             link.style.color = decoration.after!.color || null
             link.appendChild(e)
