[PR #24204] fix(security): add rel=noopener noreferrer to all target=_blank links #66407

New Issue

GiteaMirror · 2026-05-06T12:45:07-05:00

GiteaMirror commented

2026-05-06 12:45:07 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24204
Author: @akinshaywai
Created: 4/28/2026
Status: 🔄 Open

Base: dev ← Head: fix/a11y-external-links-rel

📝 Commits (10+)

fe6783c Merge pull request #19030 from open-webui/dev
fc05e0a Merge pull request #19405 from open-webui/dev
e3faec6 Merge pull request #19416 from open-webui/dev
9899293 Merge pull request #19448 from open-webui/dev
140605e Merge pull request #19462 from open-webui/dev
6f1486f Merge pull request #19466 from open-webui/dev
d95f533 Merge pull request #19729 from open-webui/dev
a727153 0.6.43 (#20093)
6adde20 Merge pull request #20394 from open-webui/dev
f9b0534 Merge pull request #20522 from open-webui/dev

📊 Changes

4 files changed (+16 additions, -11 deletions)

View changed files

📝 src/lib/components/chat/Settings/About.svelte (+9 -7)
📝 src/lib/components/chat/Settings/Integrations.svelte (+4 -2)
📝 src/lib/components/chat/ShareChatModal.svelte (+1 -1)
📝 src/lib/components/chat/ToolServersModal.svelte (+2 -1)

📄 Description

Summary

External links opened with target="_blank" expose the current page to reverse tabnapping — the opened tab can access window.opener and redirect the parent page. rel="noopener noreferrer" prevents this by nullifying window.opener and stripping the Referer header.

Added rel="noopener noreferrer" to all affected target="_blank" links across four components:

File	Links fixed
`ShareChatModal.svelte`	Shared chat preview link
`ToolServersModal.svelte`	OpenAPI servers docs
`Settings/About.svelte`	Discord, Twitter/X, GitHub stars badge, Twemoji, CC-BY 4.0, Open WebUI Inc., LICENSE, Timothy J. Baek
`Settings/Integrations.svelte`	OpenAPI tool servers docs, Open Terminal docs

Changes

src/lib/components/chat/ShareChatModal.svelte
src/lib/components/chat/ToolServersModal.svelte
src/lib/components/chat/Settings/About.svelte
src/lib/components/chat/Settings/Integrations.svelte

Test plan

Open each affected modal/settings tab — all links open in a new tab as before
Verify window.opener is null in the opened tab (DevTools console: window.opener)
No visual regression

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24204 **Author:** [@akinshaywai](https://github.com/akinshaywai) **Created:** 4/28/2026 **Status:** 🔄 Open **Base:** `dev` ← **Head:** `fix/a11y-external-links-rel` --- ### 📝 Commits (10+) - [`fe6783c`](https://github.com/open-webui/open-webui/commit/fe6783c16699911c7be17392596d579333fb110c) Merge pull request #19030 from open-webui/dev - [`fc05e0a`](https://github.com/open-webui/open-webui/commit/fc05e0a6c5d39da60b603b4d520f800d6e36f748) Merge pull request #19405 from open-webui/dev - [`e3faec6`](https://github.com/open-webui/open-webui/commit/e3faec62c58e3a83d89aa3df539feacefa125e0c) Merge pull request #19416 from open-webui/dev - [`9899293`](https://github.com/open-webui/open-webui/commit/9899293f050ad50ae12024cbebee7e018acd851e) Merge pull request #19448 from open-webui/dev - [`140605e`](https://github.com/open-webui/open-webui/commit/140605e660b8186a7d5c79fb3be6ffb147a2f498) Merge pull request #19462 from open-webui/dev - [`6f1486f`](https://github.com/open-webui/open-webui/commit/6f1486ffd0cb288d0e21f41845361924e0d742b3) Merge pull request #19466 from open-webui/dev - [`d95f533`](https://github.com/open-webui/open-webui/commit/d95f533214e3fe5beb5e41ec1f349940bc4c7043) Merge pull request #19729 from open-webui/dev - [`a727153`](https://github.com/open-webui/open-webui/commit/a7271532f8a38da46785afcaa7e65f9a45e7d753) 0.6.43 (#20093) - [`6adde20`](https://github.com/open-webui/open-webui/commit/6adde203cd292a9e3af9c64a2ae36b603fed096a) Merge pull request #20394 from open-webui/dev - [`f9b0534`](https://github.com/open-webui/open-webui/commit/f9b0534e0c442631d1cb7205169588b9b6204179) Merge pull request #20522 from open-webui/dev ### 📊 Changes **4 files changed** (+16 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `src/lib/components/chat/Settings/About.svelte` (+9 -7) 📝 `src/lib/components/chat/Settings/Integrations.svelte` (+4 -2) 📝 `src/lib/components/chat/ShareChatModal.svelte` (+1 -1) 📝 `src/lib/components/chat/ToolServersModal.svelte` (+2 -1) </details> ### 📄 Description ## Summary External links opened with `target="_blank"` expose the current page to reverse tabnapping — the opened tab can access `window.opener` and redirect the parent page. `rel="noopener noreferrer"` prevents this by nullifying `window.opener` and stripping the `Referer` header. Added `rel="noopener noreferrer"` to all affected `target="_blank"` links across four components: | File | Links fixed | |------|-------------| | `ShareChatModal.svelte` | Shared chat preview link | | `ToolServersModal.svelte` | OpenAPI servers docs | | `Settings/About.svelte` | Discord, Twitter/X, GitHub stars badge, Twemoji, CC-BY 4.0, Open WebUI Inc., LICENSE, Timothy J. Baek | | `Settings/Integrations.svelte` | OpenAPI tool servers docs, Open Terminal docs | ## Changes - `src/lib/components/chat/ShareChatModal.svelte` - `src/lib/components/chat/ToolServersModal.svelte` - `src/lib/components/chat/Settings/About.svelte` - `src/lib/components/chat/Settings/Integrations.svelte` ## Test plan - [ ] Open each affected modal/settings tab — all links open in a new tab as before - [ ] Verify `window.opener` is null in the opened tab (DevTools console: `window.opener`) - [ ] No visual regression --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-05-06 12:45:07 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#66407