From a728779d8102bba91379e193243f996929ea4162 Mon Sep 17 00:00:00 2001 From: Tim Roes Date: Fri, 7 Jun 2019 19:51:43 +0200 Subject: [PATCH] Set noreferrer also for non _blank links (#2008) * Set noreferrer also for non _blank links * Add changelog entry --- CHANGELOG.md | 1 + .../__snapshots__/breadcrumbs.test.js.snap | 2 + .../context_menu_item.test.js.snap | 3 +- .../header_breadcrumbs.test.js.snap | 2 + .../link/__snapshots__/link.test.js.snap | 6 ++- .../get_secure_rel_for_target.test.ts | 40 ++++++++++++------- .../security/get_secure_rel_for_target.ts | 14 +++---- 7 files changed, 43 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c7f4f5a60e..b305d21b83e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ## [`master`](https://github.com/elastic/eui/tree/master) +- Attach `noreferrer` also to links without `target="_blank"` ([#2008](https://github.com/elastic/eui/pull/2008)) - Convert observer utility components to TypeScript ([#2009](https://github.com/elastic/eui/pull/2009)) **Bug fixes** diff --git a/src/components/breadcrumbs/__snapshots__/breadcrumbs.test.js.snap b/src/components/breadcrumbs/__snapshots__/breadcrumbs.test.js.snap index ed66e449236..a943c2202f3 100644 --- a/src/components/breadcrumbs/__snapshots__/breadcrumbs.test.js.snap +++ b/src/components/breadcrumbs/__snapshots__/breadcrumbs.test.js.snap @@ -10,6 +10,7 @@ exports[`EuiBreadcrumbs is rendered 1`] = ` class="euiLink euiLink--subdued euiBreadcrumb customClass" data-test-subj="breadcrumbsAnimals" href="#" + rel="noreferrer" title="[object Object]" > @@ -32,6 +33,7 @@ exports[`EuiBreadcrumbs is rendered 1`] = ` Boa constrictor diff --git a/src/components/context_menu/__snapshots__/context_menu_item.test.js.snap b/src/components/context_menu/__snapshots__/context_menu_item.test.js.snap index ffee19bb4d1..8de3efb69bf 100644 --- a/src/components/context_menu/__snapshots__/context_menu_item.test.js.snap +++ b/src/components/context_menu/__snapshots__/context_menu_item.test.js.snap @@ -64,6 +64,7 @@ exports[`EuiContextMenuItem props href renders a link 1`] = ` class="euiContextMenuItem testClass1 testClass2" data-test-subj="test subject string" href="url" + rel="noreferrer" > @@ -32,6 +33,7 @@ exports[`EuiHeaderBreadcrumbs is rendered 1`] = ` Boa constrictor diff --git a/src/components/link/__snapshots__/link.test.js.snap b/src/components/link/__snapshots__/link.test.js.snap index 8f7f7b4a20b..ca0d0a58e83 100644 --- a/src/components/link/__snapshots__/link.test.js.snap +++ b/src/components/link/__snapshots__/link.test.js.snap @@ -48,6 +48,7 @@ exports[`EuiLink it supports both href and onClick 1`] = ` `; @@ -76,6 +77,7 @@ exports[`EuiLink supports children 1`] = ` Hiya!!! @@ -87,6 +89,7 @@ exports[`EuiLink supports href 1`] = ` `; @@ -94,7 +97,7 @@ exports[`EuiLink supports rel 1`] = ` `; @@ -102,6 +105,7 @@ exports[`EuiLink supports target 1`] = ` `; diff --git a/src/services/security/get_secure_rel_for_target.test.ts b/src/services/security/get_secure_rel_for_target.test.ts index 530946a45a1..d6d59dac110 100644 --- a/src/services/security/get_secure_rel_for_target.test.ts +++ b/src/services/security/get_secure_rel_for_target.test.ts @@ -1,7 +1,7 @@ import { getSecureRelForTarget } from './get_secure_rel_for_target'; describe('getSecureRelForTarget', () => { - describe('returns rel', () => { + describe('returns rel and noreferrer', () => { test('when target is not supplied', () => { expect( getSecureRelForTarget({ @@ -9,7 +9,7 @@ describe('getSecureRelForTarget', () => { target: undefined, rel: 'hello', }) - ).toBe('hello'); + ).toBe('hello noreferrer'); }); test('when target is empty', () => { @@ -19,7 +19,7 @@ describe('getSecureRelForTarget', () => { target: '', rel: 'hello', }) - ).toBe('hello'); + ).toBe('hello noreferrer'); }); test('when target is not _blank', () => { @@ -29,17 +29,7 @@ describe('getSecureRelForTarget', () => { target: '_self', rel: 'hello', }) - ).toBe('hello'); - }); - - test('when target is undefined', () => { - expect( - getSecureRelForTarget({ - href: undefined, - target: undefined, - rel: 'hello', - }) - ).toBe('hello'); + ).toBe('hello noreferrer'); }); }); @@ -156,4 +146,26 @@ describe('getSecureRelForTarget', () => { ).toBe('nofollow noopener'); }); }); + + describe('returns no noreferrer when domain is safe without target _blank', () => { + test('when target and rel is undefined', () => { + expect( + getSecureRelForTarget({ + href: 'http://discuss.elastic.co', + target: undefined, + rel: undefined, + }) + ).toBe(''); + }); + + test('when rel is specified', () => { + expect( + getSecureRelForTarget({ + href: 'https://discuss.elastic.co', + target: undefined, + rel: 'nofollow', + }) + ).toBe('nofollow'); + }); + }); }); diff --git a/src/services/security/get_secure_rel_for_target.ts b/src/services/security/get_secure_rel_for_target.ts index 7002d2167e9..9083a4b22ae 100644 --- a/src/services/security/get_secure_rel_for_target.ts +++ b/src/services/security/get_secure_rel_for_target.ts @@ -7,30 +7,26 @@ import { isDomainSecure } from '../url'; export const getSecureRelForTarget = ({ href, - target, + target = '', rel, }: { href?: string; target?: '_blank' | '_self' | '_parent' | '_top' | string; rel?: string; }) => { - if (!target || !target.includes('_blank')) { - return rel; - } - const isElasticHref = !!href && isDomainSecure(href); const relParts = !!rel ? filter(rel.split(' '), part => !!part.length && part !== 'noreferrer') : []; - if (relParts.indexOf('noopener') === -1) { - relParts.push('noopener'); - } - if (!isElasticHref) { relParts.push('noreferrer'); } + if (target.includes('_blank') && relParts.indexOf('noopener') === -1) { + relParts.push('noopener'); + } + return relParts .sort() .join(' ')