- Language
HTML / Razor (CSHTML) - Rule
Web:S5148 (Authorizing an opened window to access back to the originating window is security-sensitive) - Environment
SonarQube: Community Edition Version 10.0 (build 68432)
The rule suggests using rel="noopener"
for links targeting _blank
unless using hardcoded relative urls.
I am wondering whether the following dynamic cases would make sense to be allowed:
- Same-page URLs (starting with
#
), including for Single-Page Applications (we use Aurelia 1):<a href="#/${someDynamicParameter}" target="_blank">Link text</a>
- Automatically expanded placeholders (we use ASP.NET Core / Razor, which uses a tag helper to expand an initial
~
to the application’s root):<a href="~/@SomeHelper.BuildUrl("someDynamicParameter")" target="_blank">Link text</a>
Please note I am not aware of this change’s deep security implications, so this suggestion should be reviewed by security experts.