fix: add rel="noopener noreferrer" to all target="_blank" links in modal

[Copilot]

All <a target="_blank"> links in modal.ts lacked rel="noopener noreferrer", exposing the app to reverse tab-napping — opened pages could access window.opener and redirect the parent to a phishing site.

Changes

• src/modal/modal.ts — Added rel="noopener noreferrer" to every <a target="_blank"> element:

  • renderCreatorOrAssetSourceType() — showcase link
  • renderTop() — profile image link
  • renderTransaction() — blockchain explorer URL link
  • renderDefaultProvenanceZone() — Numbers mainnet explorer link
  • renderCustomProvenanceZone() — item.url links
  • renderBottom() — action button and "Powered by Numbers Protocol" links
  • renderEngagementZone() — engagement zone link

• src/test/modal_test.ts — Updated snapshot assertions to reflect the new attribute.

- html`<a class="link-text" href=${showcaseLink} target="_blank">`
+ html`<a class="link-text" href=${showcaseLink} target="_blank" rel="noopener noreferrer">`

Note: handleInspectContentCredentials already used window.open(url, '_blank', 'noopener,noreferrer') correctly — only the <a> tags were affected.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell --disable-field-trial-config --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Transl de_modules/.bin/node (dns block)
  • Triggering command: /home/REDACTED/.cache/ms-playwright/firefox-1509/firefox/firefox /home/REDACTED/.cache/ms-playwright/firefox-1509/firefox/firefox -no-remote -headless -profile /tmp/playwright_firefoxdev_profile-Rnwv9a -juggler-pipe -silent cal/bin/git (dns block)
• static-cdn.numbersprotocol.io
  • Triggering command: /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell --disable-field-trial-config --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Transl de_modules/.bin/node (dns block)
  • Triggering command: /home/REDACTED/.cache/ms-playwright/firefox-1509/firefox/firefox /home/REDACTED/.cache/ms-playwright/firefox-1509/firefox/firefox -no-remote -headless -profile /tmp/playwright_firefoxdev_profile-Rnwv9a -juggler-pipe -silent cal/bin/git (dns block)
• via.placeholder.com
  • Triggering command: /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell --disable-field-trial-config --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Transl de_modules/.bin/node (dns block)
  • Triggering command: /home/REDACTED/.cache/ms-playwright/firefox-1509/firefox/firefox /home/REDACTED/.cache/ms-playwright/firefox-1509/firefox/firefox -no-remote -headless -profile /tmp/playwright_firefoxdev_profile-Rnwv9a -juggler-pipe -silent cal/bin/git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security][Medium] Missing rel="noopener noreferrer" on all target="_blank" links enables tab-napping attacks</issue_title>
<issue_description>## Summary

All <a target="_blank"> links in the modal component lack rel="noopener noreferrer", allowing opened pages to access window.opener and potentially redirect the parent page (reverse tab-napping vulnerability).

Affected Files

• src/modal/modal.ts — All anchor tags with target="_blank":
  • renderCreatorOrAssetSourceType(): showcase link
  • renderTransaction(): explorer URL link
  • renderCustomProvenanceZone(): custom provenance zone item.url links
  • renderBottom(): action button link
  • renderTop(): profile image link

Current Code Pattern

html`<a class="link-text" href=${showcaseLink} target="_blank">`

Expected Fix

Add rel="noopener noreferrer" to every <a target="_blank"> in the modal:

html`<a class="link-text" href=${showcaseLink} target="_blank" rel="noopener noreferrer">`

Note: The handleInspectContentCredentials method already correctly uses window.open(url, '_blank', 'noopener,noreferrer') — only the <a> tags are affected.

Impact

Without rel="noopener noreferrer", any page opened via these links gains access to window.opener, which can be used to:

• Redirect the parent page to a phishing site (reverse tab-napping)
• Read limited properties of the parent window in some browsers

This is particularly concerning for links that use URLs from API responses (e.g., explorerUrl, custom provenance zone URLs), where a compromised API could direct users to malicious pages that exploit the window.opener reference.

Suggested Approach

1. Add rel="noopener noreferrer" to all <a target="_blank"> elements in modal.ts
2. Consider creating a helper function to ensure consistent link rendering across the component</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security][Medium] Missing rel="noopener noreferrer" on all target="_blank" links enables tab-napping attacks #85

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.