Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 22
    • Issues 22
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #29081
Closed
Open
Issue created Mar 06, 2017 by Brian Neel@briannContributor

HackerOne reported issue: Links in Environments tab vulnerable to tabnabbing (target=_blank without noopener, noreferrer)

A user reported via HackerOne that GitLab project environments tabs can contain external links opened with target=_blank yet they do not include the standard noopener noreferrer to prevent tabnabbing.

https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

We need to add these options to all external links opened with target=_blank.

The attack surface is very low here as environments can only be viewed by members of a project that have developer or greater access and environments can only be created by members of that same project who also have developer or greater access.

Assignee
Assign to
Time tracking