Skip to content

fix(web): add noopener and noreferrer to external source links#771

Open
Sahilshrma31 wants to merge 1 commit intonodejs:mainfrom
Sahilshrma31:fix/jsx-ast-noopener-source-links
Open

fix(web): add noopener and noreferrer to external source links#771
Sahilshrma31 wants to merge 1 commit intonodejs:mainfrom
Sahilshrma31:fix/jsx-ast-noopener-source-links

Conversation

@Sahilshrma31
Copy link
Copy Markdown

@Sahilshrma31 Sahilshrma31 commented Apr 15, 2026

Description

Adds rel="noopener noreferrer" to source-code links generated by the web docs pipeline when links open in a new tab (target="_blank").

The source link rendering in jsx-ast currently opens external GitHub links in a new tab but does not set a rel attribute. This change hardens link behavior by preventing opener access and aligning with standard security best practices for external links.

Validation

I validated this by generating docs and inspecting rendered source-code links in the output HTML.

Before

Generated source links had:

target="_blank"
no rel attribute

After

Generated source links now have:

target="_blank"
rel="noopener noreferrer"

This preserves existing behavior (open in new tab) while adding safer link semantics.

Related Issues

N/A

Check List

  • I have read the Contributing Guidelines and made commit messages that follow the guideline.
  • I have run node --run test and all tests passed.
  • I have check code formatting with node --run format & node --run lint.
  • I've covered new added functionality with unit tests if necessary.

@Sahilshrma31 Sahilshrma31 requested a review from a team as a code owner April 15, 2026 14:27
@cursor
Copy link
Copy Markdown

cursor Bot commented Apr 15, 2026
edited
Loading

PR Summary

Low Risk
Low risk, single-attribute change to generated external links; main impact is link behavior/security hardening with minimal chance of regressions.

Overview
Adds rel="noopener noreferrer" to the GitHub source code links generated by createSourceLink in buildContent.mjs when opening in a new tab (target="_blank"), preventing window.opener access and aligning with external-link security best practices.

Reviewed by Cursor Bugbot for commit 15b232b. Bugbot is set up for automated code reviews on this repo. Configure here.

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
api-docs-tooling Ready Ready Preview Apr 15, 2026 2:28pm

Request Review

bmuenzenmeyer
bmuenzenmeyer approved these changes Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@bmuenzenmeyer bmuenzenmeyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is probably overkill for a GH link (we trust them more implicitly) but no harm here. noopener is redundant in most browsers, but again, not much harm

((we do both within nodejs.org anyways))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmuenzenmeyer bmuenzenmeyer bmuenzenmeyer approved these changes

@araujogui araujogui araujogui approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Sahilshrma31 @bmuenzenmeyer @araujogui