Adds noref/noopen to external links for Mailgun and Snowplow
What does this MR do and why?
Adds rel="noopener noreferrer" to external links for Mailgun and Snowplow in the admin/settings/general menu.
This is a best practice to avoid "Reverse Tabnapping".
Screenshots or screen recordings
This was surfaced by running an authenticated DAST active scan on a self-managed GitLab instance.
How to set up and validate locally
-
Navigate to
admin/settings/generalin GitLab instance -
Inspect links for Mailgun and Snowplow, note that they have
target="_blank"but do not haverel="noopener noreferrer". -
Edit
_mailgun.html.haml:11and_snowplow.html.haml:10app/views/admin/application_settings/_mailgun.html.haml:11-- = _('Configure the %{link} integration.').html_safe % { link: link_to(_('Mailgun events'), 'https://documentation.mailgun.com/en/latest/user_manual.html#webhooks', target: '_blank') } ++ = _('Configure the %{link} integration.').html_safe % { link: link_to(_('Mailgun events'), 'https://documentation.mailgun.com/en/latest/user_manual.html#webhooks', target: '_blank', rel: 'noopener noreferrer') }app/views/admin/application_settings/_snowplow.html.haml:10-- = html_escape(_('Configure %{link} to track events. %{link_start}Learn more.%{link_end}')) % { link: link_to('Snowplow', 'https://snowplowanalytics.com/', target: '_blank').html_safe, link_start: link_start, link_end: '</a>'.html_safe } ++ = html_escape(_('Configure %{link} to track events. %{link_start}Learn more.%{link_end}')) % { link: link_to('Snowplow', 'https://snowplowanalytics.com/', target: '_blank', rel: 'noopener noreferrer').html_safe, link_start: link_start, link_end: '</a>'.html_safe } -
Verify that the links for Mailgun and Snowplow now have
rel="noopener noreferrer".🎉
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.