From 914c81ec277b4eaad1ef1e9df8af062d6cc497d9 Mon Sep 17 00:00:00 2001
From: Alex Dima <alexdima@microsoft.com>
Date: Mon, 16 Oct 2017 10:08:05 +0200
Subject: [PATCH] Fixes Microsoft/monaco-editor#601: Set window.opener to null

---
 src/vs/base/browser/dom.ts                        | 15 +++++++++++++++
 .../editor/standalone/browser/simpleServices.ts   |  2 +-
 src/vs/platform/opener/browser/openerService.ts   |  3 ++-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/vs/base/browser/dom.ts b/src/vs/base/browser/dom.ts
index d0dfb1d885ced..ad9fe378587cb 100644
--- a/src/vs/base/browser/dom.ts
+++ b/src/vs/base/browser/dom.ts
@@ -1054,3 +1054,18 @@ export function computeScreenAwareSize(cssPx: number): number {
 	const screenPx = window.devicePixelRatio * cssPx;
 	return Math.max(1, Math.floor(screenPx)) / window.devicePixelRatio;
 }
+
+/**
+ * See https://github.com/Microsoft/monaco-editor/issues/601
+ * To protect against malicious code in the linked site, particularly phishing attempts,
+ * the window.opener should be set to null to prevent the linked site from having access
+ * to change the location of the current page.
+ * See https://mathiasbynens.github.io/rel-noopener/
+ */
+export function windowOpenNoOpener(url: string): void {
+	let newTab = window.open();
+	if (newTab) {
+		newTab.opener = null;
+		newTab.location.href = url;
+	}
+}
diff --git a/src/vs/editor/standalone/browser/simpleServices.ts b/src/vs/editor/standalone/browser/simpleServices.ts
index 606aff0559cdf..48ba23efabba2 100644
--- a/src/vs/editor/standalone/browser/simpleServices.ts
+++ b/src/vs/editor/standalone/browser/simpleServices.ts
@@ -139,7 +139,7 @@ export class SimpleEditorService implements IEditorService {
 					let schema = data.resource.scheme;
 					if (schema === Schemas.http || schema === Schemas.https) {
 						// This is a fully qualified http or https URL
-						window.open(data.resource.toString());
+						dom.windowOpenNoOpener(data.resource.toString());
 						return this.editor;
 					}
 				}
diff --git a/src/vs/platform/opener/browser/openerService.ts b/src/vs/platform/opener/browser/openerService.ts
index 81ce66693868f..a97c643538dbe 100644
--- a/src/vs/platform/opener/browser/openerService.ts
+++ b/src/vs/platform/opener/browser/openerService.ts
@@ -5,6 +5,7 @@
 'use strict';
 
 import URI from 'vs/base/common/uri';
+import * as dom from 'vs/base/browser/dom';
 import { parse } from 'vs/base/common/marshalling';
 import { Schemas } from 'vs/base/common/network';
 import { TPromise } from 'vs/base/common/winjs.base';
@@ -41,7 +42,7 @@ export class OpenerService implements IOpenerService {
 		let promise: TPromise<any>;
 		if (scheme === Schemas.http || scheme === Schemas.https) {
 			// open http
-			window.open(resource.toString(true));
+			dom.windowOpenNoOpener(resource.toString(true));
 
 		} else if (scheme === 'command' && CommandsRegistry.getCommand(path)) {
 			// execute as command