Fix reverse tabnabbing issue (!71756) · Merge requests · GitLab.org / GitLab

Dominic Couture requested to merge pages-reverse-tabnabbing into master Oct 05, 2021

What does this MR do and why?

Fixes https://gitlab.com/gitlab-org/gitlab/-/issues/202060

The link is vulnerable to reverse tabnabbing. In reality this can really only be exploited by an admin so it's really low severity (hence the public fix) but it's very simple so I opened this MR.

Screenshots or screen recordings

No visual changes

How to set up and validate locally

Inspect the GitLab Pages link in http://127.0.0.1:3000/help/instance_configuration

It should have the noopener noreferrer value for the rel attribute. If GitLab Pages is configured to run locally click on the link and run window.opener in the console and the result should be null.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Oct 05, 2021 by Dominic Couture

Fix reverse tabnabbing issue

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports