fix(frontend): add missing rel="noopener noreferrer" to target="_blank" links (#1741)

* fix(frontend): add missing rel="noopener noreferrer" to target="_blank" links

Prevent tabnabbing attacks and referrer leakage by ensuring all
external links with target="_blank" include both noopener and
noreferrer in the rel attribute.

Made-with: Cursor

* style: fix code formatting

frontend/src/components/workspace/artifacts/artifact-file-detail.tsx

@@ -188,7 +188,11 @@ export function ArtifactFileDetail({
               </Tooltip>
             )}
             {!isWriteFile && (
-              <a href={urlOfArtifact({ filepath, threadId })} target="_blank">
+              <a
+                href={urlOfArtifact({ filepath, threadId })}
+                target="_blank"
+                rel="noopener noreferrer"
+              >
                 <ArtifactAction
                   icon={SquareArrowOutUpRightIcon}
                   label={t.common.openInNewWindow}
@@ -217,6 +221,7 @@ export function ArtifactFileDetail({
               <a
                 href={urlOfArtifact({ filepath, threadId, download: true })}
                 target="_blank"
+                rel="noopener noreferrer"
               >
                 <ArtifactAction
                   icon={DownloadIcon}

frontend/src/components/workspace/artifacts/artifact-file-list.tsx

@@ -111,6 +111,7 @@ export function ArtifactFileList({
                   download: true,
                 })}
                 target="_blank"
+                rel="noopener noreferrer"
                 onClick={(e) => e.stopPropagation()}
               >
                 <Button variant="ghost">

frontend/src/components/workspace/messages/message-group.tsx

@@ -215,7 +215,7 @@ function ToolCall({
           <ChainOfThoughtSearchResults>
             {result.map((item) => (
               <ChainOfThoughtSearchResult key={item.url}>
-                <a href={item.url} target="_blank" rel="noreferrer">
+                <a href={item.url} target="_blank" rel="noopener noreferrer">
                   {item.title}
                 </a>
               </ChainOfThoughtSearchResult>
@@ -250,7 +250,7 @@ function ToolCall({
                     className="size-24 overflow-hidden rounded-lg object-cover"
                     href={item.source_url}
                     target="_blank"
-                    rel="noreferrer"
+                    rel="noopener noreferrer"
                   >
                     <div className="bg-accent size-24">
                       <img
@@ -289,7 +289,7 @@ function ToolCall({
       >
         <ChainOfThoughtSearchResult>
           {url && (
-            <a href={url} target="_blank" rel="noreferrer">
+            <a href={url} target="_blank" rel="noopener noreferrer">
               {title}
             </a>
           )}