zulip

Commit Graph

Author	SHA1	Message	Date
Anders Kaseorg	68cfcd6446	CVE-2020-9444: Prevent reverse tabnabbing attacks. While we could fix this issue by changing the markdown processor, doing so is not a robust solution, because even a momentary bug in the markdown processor could allow cached messages that do not follow our security policy. This change ensures that even if our markdown processor has bugs that result in rendered content that does not properly follow our policy of using rel="noopener noreferrer" on links, we'll still do something reasonable. Co-authored-by: Tim Abbott <tabbott@zulipchat.com> Signed-off-by: Anders Kaseorg <anders@zulipchat.com>	2020-04-01 14:01:45 -07:00

Author

SHA1

Message

Date

Anders Kaseorg

68cfcd6446

CVE-2020-9444: Prevent reverse tabnabbing attacks.

While we could fix this issue by changing the markdown processor,
doing so is not a robust solution, because even a momentary bug in the
markdown processor could allow cached messages that do not follow our
security policy.

This change ensures that even if our markdown processor has bugs that
result in rendered content that does not properly follow our policy of
using rel="noopener noreferrer" on links, we'll still do something
reasonable.

Co-authored-by: Tim Abbott <tabbott@zulipchat.com>
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>

2020-04-01 14:01:45 -07:00

1 Commits