Web:S5148 could be extended to allow some dynamic URLs

  • Language
    HTML / Razor (CSHTML)
  • Rule
    Web:S5148 (Authorizing an opened window to access back to the originating window is security-sensitive)
  • Environment
    SonarQube: Community Edition Version 10.0 (build 68432)

The rule suggests using rel="noopener" for links targeting _blank unless using hardcoded relative urls.

I am wondering whether the following dynamic cases would make sense to be allowed:

  • Same-page URLs (starting with #), including for Single-Page Applications (we use Aurelia 1):
    <a href="#/${someDynamicParameter}" target="_blank">Link text</a>
    
  • Automatically expanded placeholders (we use ASP.NET Core / Razor, which uses a tag helper to expand an initial ~ to the application’s root):
    <a href="~/@SomeHelper.BuildUrl("someDynamicParameter")" target="_blank">Link text</a>
    

Please note I am not aware of this change’s deep security implications, so this suggestion should be reviewed by security experts.

Hello @m-gallesio!

Thank you for the suggestions for rule S5148. Let me give you an answer per case:

Same-page URLs (starting with #), including for Single-Page Applications (we use Aurelia 1):

We already try to exclude relative URLs from S5148 (for example, hrefs that start with a /.) But it looks like URLs starting with # were not considered yet. I’ve created a ticket internally so we can fix this.

Automatically expanded placeholders (we use ASP.NET Core / Razor, which uses a tag helper to expand an initial ~ to the application’s root):

I created an internal ticket so we can research this suggestion. For now, rule S5148 does not have framework-specific exclusions. I think it should be feasible to add this as an exclusion to .cshtml files specifically.

1 Like

Actually this whole noopener thing should go away.

Setting target="_blank" on <a> elements now implicitly provides the same rel behavior as setting rel="noopener" which does not set window.opener .

That “now” implies a relatively recent (2019 / 2020 / 2021) time period.
Evergreen browsers are of course covered, but the ability to fully skip noopener depends on what browsers developers need to support (see compatibility table on Can I Use).
It might be sensible to remove this rule from the standard Sonar profile, however.