From f01f2dbc0d4306fbc8dec66ba32fadc960b5751b Mon Sep 17 00:00:00 2001
From: istiak101 <30789544+istiak101@users.noreply.github.com>
Date: Wed, 27 Dec 2023 16:59:16 +0600
Subject: [PATCH] fix: use noreferer to prevent exposing shiori instance url to
 archived websites (#802)

---
 internal/view/assets/js/component/bookmark.js | 4 ++--
 internal/view/content.html                    | 4 ++--
 internal/webserver/handler.go                 | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/internal/view/assets/js/component/bookmark.js b/internal/view/assets/js/component/bookmark.js
index 97f3560b..9b4c6a36 100644
--- a/internal/view/assets/js/component/bookmark.js
+++ b/internal/view/assets/js/component/bookmark.js
@@ -4,7 +4,7 @@ var template = `
 		v-if="editMode" 
 		@click="selectBookmark">
 	</a>
-	<a class="bookmark-link" :href="mainURL" target="_blank" rel="noopener">
+	<a class="bookmark-link" :href="mainURL" target="_blank" rel="noopener noreferrer">
 		<span class="thumbnail" v-if="thumbnailVisible" :style="thumbnailStyleURL"></span>
 		<p class="title" dir="auto">{{title}}
 			<i v-if="hasContent" class="fas fa-file-alt"></i>
@@ -19,7 +19,7 @@ var template = `
 	</div>
 	<div class="spacer"></div>
 	<div class="bookmark-menu">
-		<a class="url" :href="url" target="_blank" rel="noopener">
+		<a class="url" :href="url" target="_blank" rel="noopener noreferrer">
 			{{hostnameURL}}
 		</a>
 		<template v-if="!editMode && menuVisible">
diff --git a/internal/view/content.html b/internal/view/content.html
index a966a134..9c41412a 100644
--- a/internal/view/content.html
+++ b/internal/view/content.html
@@ -26,7 +26,7 @@
 			<p id="metadata" v-cloak>Added {{localtime()}}</p>
 			<p id="title" dir="auto">$$.Book.Title$$</p>
 			<div id="links">
-				<a href="$$.Book.URL$$" target="_blank" rel="noopener">View Original</a>
+				<a href="$$.Book.URL$$" target="_blank" rel="noopener noreferrer">View Original</a>
 				$$if .Book.HasArchive$$
 				<a href="bookmark/$$.Book.ID$$/archive">View Archive</a>
 				$$end$$
@@ -82,7 +82,7 @@
 
 				document.querySelectorAll("#content a").forEach(elem => {
 					elem.setAttribute("target", "_blank");
-					elem.setAttribute("rel", "noopener");
+					elem.setAttribute("rel", "noopener noreferrer");
 				});
 			}
 		});
diff --git a/internal/webserver/handler.go b/internal/webserver/handler.go
index 7401beae..60016f85 100644
--- a/internal/webserver/handler.go
+++ b/internal/webserver/handler.go
@@ -75,7 +75,7 @@ func (h *Handler) PrepareTemplates() error {
 		`<div id="shiori-archive-header">
 		<p id="shiori-logo"><span>栞</span>shiori</p>
 		<div class="spacer"></div>
-		<a href="$$.URL$$" target="_blank">View Original</a>
+		<a href="$$.URL$$" target="_blank" rel="noopener noreferrer">View Original</a>
 		$$if .HasContent$$
 		<a href="/bookmark/$$.ID$$/content">View Readable</a>
 		$$end$$