HackerOne reported issue: Links in Environments tab vulnerable to tabnabbing (target=_blank without noopener, noreferrer)
A user reported via HackerOne that GitLab project environments tabs can contain external links opened with
target=_blank yet they do not include the standard
noopener noreferrer to prevent tabnabbing.
We need to add these options to all external links opened with
The attack surface is very low here as environments can only be viewed by members of a project that have developer or greater access and environments can only be created by members of that same project who also have developer or greater access.