From 6de67c8a50cf4afebb08957f0b38f4f646e7f02c Mon Sep 17 00:00:00 2001
From: Adrian Schaedle <aschaedle@microsoft.com>
Date: Wed, 28 Jun 2023 14:48:30 -0400
Subject: [PATCH] Action.OpenUrl with a top-level browsing context

While HTML links [launch without an opener reference][spec],
[`window.open`][vulnerability] provides a reference to the parent page
through an auxiliary browsing context. Given untrusted URL input, this
can lead to tabnabbing and phishing attacks.

This change uses the [noopener] and [noreferrer] [window features] for
the default link handler in the React renderer.

[spec]: https://github.com/whatwg/html/issues/4078
[vulnerability]: https://mathiasbynens.github.io/rel-noopener/
[window features]: https://developer.mozilla.org/en-US/docs/Web/API/Window/open#windowfeatures
[noopener]: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noopener
[noreferrer]: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noreferrer
---
 source/nodejs/adaptivecards-react/src/adaptive-card.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source/nodejs/adaptivecards-react/src/adaptive-card.tsx b/source/nodejs/adaptivecards-react/src/adaptive-card.tsx
index fa617c7ceb..9efd484ec8 100644
--- a/source/nodejs/adaptivecards-react/src/adaptive-card.tsx
+++ b/source/nodejs/adaptivecards-react/src/adaptive-card.tsx
@@ -43,7 +43,7 @@ const propTypes = {
 };
 
 const defaultOpenUrlHandler = (action: AdaptiveCards.OpenUrlAction) => {
-    window.open(action.url, '_blank');
+    window.open(action.url, '_blank', 'noopener,noreferrer');
 };
 
 const setUpMarkdownIt = () => {