Gitpulse
The Gitpulse Dispatch
← gitpulse
Security·Pushed May 1, 2026·S

External links open in new tabs with security hardening

External links across the site now open in new browser tabs instead of navigating users away — with security attributes preventing reverse tabnabbing attacks.

External links across the site now open in new tabs. Previously, clicking an author URL or GitHub source link would navigate users away from the current page. Now those links open in a fresh tab, keeping readers on the site. The change also adds security hardening: all external links include rel="noopener noreferrer", which prevents the opened page from accessing the original page through window.opener. This blocks a known attack vector where a malicious site could hijack the referrer or redirect the parent page. In the site app, two footer links on the story detail page gain the new behavior — author URLs and GitHub source links. The same attribute is applied to author links in the StoryCard component that appears across listing pages. Three links updated in total, all pointing to external resources.
Technical description
External links across the site now open in new tabs with security hardening. Two files were updated in the site package. On the story detail page, both author links and GitHub source links in the footer gained the new behavior. The [[code]]page.tsx[[/code]] file at [[code ref=1]]site/src/app/stories/[id]/page.tsx[[/code]] wraps author URLs and [[code ref=2]]source URLs[[/code]] with target="_blank" and rel="noopener noreferrer". The [[code]]StoryCard.tsx[[/code]] component at [[code ref=3]]site/src/components/StoryCard.tsx[[/code]] received the same treatment for author URLs displayed in the card footer. The change follows a standard security pattern: rel="noopener noreferrer" ensures the opened page cannot access window.opener on the parent page, preventing reverse tabnabbing attacks. This is particularly important for user-generated content like author links. Files at a Glance: - [[code]]site/src/app/stories/[id]/page.tsx[[/code]] — Story detail footer links updated - [[code]]site/src/components/StoryCard.tsx[[/code]] — Story card author link updated

Categories

  • Security (70%)Adding rel="noopener noreferrer" prevents reverse tabnabbing attacks by blocking the opened page from accessing window.opener
  • New Feature (30%)External links now open in new browser tabs instead of navigating away from the site