codeant-ai-for-open-source[bot] commented on code in PR #37451:
URL: https://github.com/apache/superset/pull/37451#discussion_r2728805316
##########
docs/docusaurus.config.ts:
##########
@@ -473,8 +473,10 @@ const config: Config = {
footer: {
links: [],
copyright: `
- <div class="footer__applitools">
- We use <a href="https://applitools.com/"; target="_blank"
rel="nofollow"><img src="/img/applitools.png" title="Applitools" /></a>
+ <div class="footer__ci-services">
+ <span>CI powered by</span>
+ <a href="https://applitools.com/"; target="_blank"
rel="nofollow"><img src="/img/applitools.png" alt="Applitools"
title="Applitools - Visual Testing" /></a>
+ <a href="https://www.netlify.com/"; target="_blank"
rel="nofollow"><img src="/img/netlify.svg" alt="Netlify" title="Netlify -
Deploy Previews" /></a>
Review Comment:
**Suggestion:** The external links to the CI providers open in a new tab
using `target="_blank"` but only specify `rel="nofollow"`, which leaves
`window.opener` intact and exposes the site to reverse tabnabbing; align with
the rest of the footer by adding `noreferrer` (and keeping `nofollow`) to these
links. [security]
<details>
<summary><b>Severity Level:</b> Critical 🚨</summary>
```mdx
- ❌ Footer external links enable reverse tabnabbing risk.
- ⚠️ Inconsistent link-security compared to other footer links.
- ⚠️ All docs pages render affected footer (site-wide).
```
</details>
```suggestion
<a href="https://applitools.com/"; target="_blank"
rel="noreferrer nofollow"><img src="/img/applitools.png" alt="Applitools"
title="Applitools - Visual Testing" /></a>
<a href="https://www.netlify.com/"; target="_blank"
rel="noreferrer nofollow"><img src="/img/netlify.svg" alt="Netlify"
title="Netlify - Deploy Previews" /></a>
```
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Open the repository with the PR applied and inspect the docs footer
source at
docs/docusaurus.config.ts (final file state). The CI service anchors are at
lines 478-479.
2. Build the docs site (local Docusaurus build) or open any docs page
served; the footer
HTML includes those anchors which have target="_blank" and rel="nofollow".
3. On any rendered page, click the Applitools or Netlify logo in the footer
— the link
opens in a new tab and the newly opened page retains a window.opener
reference because rel
excludes noreferrer/noopener.
4. Verify other footer links in the same file (e.g., the Apache links at
lines ~482-483 in
docs/docusaurus.config.ts) include rel="noreferrer" — confirming the
intended pattern used
elsewhere in the file and that these two anchors are inconsistent.
5. Because window.opener is available, a malicious external page could
navigate the
original page (reverse tabnabbing) — reproduce by creating a local page that
calls
window.opener.location to demonstrate the opener reference exists after
clicking the
footer link.
Note: The reproduction references concrete locations in
docs/docusaurus.config.ts where
the inconsistent rel attributes appear (lines 478-479) and compares them to
nearby links
that already include noreferrer (lines ~482-483).
```
</details>
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** docs/docusaurus.config.ts
**Line:** 478:479
**Comment:**
*Security: The external links to the CI providers open in a new tab
using `target="_blank"` but only specify `rel="nofollow"`, which leaves
`window.opener` intact and exposes the site to reverse tabnabbing; align with
the rest of the footer by adding `noreferrer` (and keeping `nofollow`) to these
links.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
