wlswo opened a new pull request, #19483: URL: https://github.com/apache/druid/pull/19483
### Description Several Blueprint `MenuItem` and `AnchorButton` usages in the web console open external links in a new tab via `target="_blank"` but do not set the companion `rel` attribute. Unlike the project's own `ExternalLink` component, **Blueprint does not inject `rel="noopener noreferrer"` automatically** — confirmed against the rendered HTML in the existing `about-dialog` snapshot, where the `<a>` produced by `AnchorButton` carries `target="_blank"` but no `rel`. Two concrete consequences in the current behavior: - The new tab can reach back into the opener window via `window.opener`, which is a well-known tabnabbing surface that `noopener` is meant to close. - The destination receives the Druid console's URL as a `Referer` header on the request, which `noreferrer` would suppress. This change adds `rel="noopener noreferrer"` to every existing `target="_blank"` call site that was missing it: | File | What | | --- | --- | | `components/header-bar/header-bar.tsx` | Help menu items (Docs / User group / Slack channel / GitHub) and the Explore link | | `dialogs/about-dialog/about-dialog.tsx` | "Visit Druid" button in the about dialog | | `views/workbench-view/workbench-view.tsx` | DruidSQL documentation menu item | | `views/workbench-view/run-panel/run-panel.tsx` | Array ingest mode docs menu item | | `views/load-data-view/load-data-view.tsx` | `flattenSpec` help button | | `views/sql-data-loader-view/schema-step/schema-step.tsx` | "Learn more..." button under the primary-timestamp callout | The project's own `ExternalLink` component (`components/external-link/external-link.tsx`) already follows this pattern. This PR just makes the rest of the codebase consistent with it. Snapshot tests for `header-bar` and `about-dialog` are updated to reflect the added attribute; no other behavior changes. #### Release note Web console links that open in a new tab now consistently include `rel="noopener noreferrer"`, eliminating a tabnabbing vector and suppressing the `Referer` header on outbound clicks. ##### Key changed/added classes in this PR - `web-console/src/components/header-bar/header-bar.tsx` - `web-console/src/dialogs/about-dialog/about-dialog.tsx` - `web-console/src/views/workbench-view/workbench-view.tsx` - `web-console/src/views/workbench-view/run-panel/run-panel.tsx` - `web-console/src/views/load-data-view/load-data-view.tsx` - `web-console/src/views/sql-data-loader-view/schema-step/schema-step.tsx` <hr> This PR has: - [x] been self-reviewed. - [x] added documentation for new or modified features or behaviors. *(N/A — internal attribute fix, no user-facing docs)* - [x] a release note entry in the PR description. - [x] added Javadocs for most classes and all non-trivial methods. *(N/A — TypeScript)* - [x] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/licenses.yaml) *(N/A — no dependency change)* - [x] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader. *(N/A — standard HTML attribute)* - [x] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met. *(existing snapshot tests updated; no new code paths)* - [x] added integration tests. *(N/A)* - [x] been tested in a test Druid cluster. *(N/A — pure attribute addition verified by `npm run test-unit`: typecheck, eslint, prettier, and all 750 jest tests pass)* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
