Fixes Microsoft/monaco-editor#601: Set window.opener to null

src/vs/base/browser/dom.ts

@@ -1054,3 +1054,18 @@ export function computeScreenAwareSize(cssPx: number): number {
 	const screenPx = window.devicePixelRatio * cssPx;
 	return Math.max(1, Math.floor(screenPx)) / window.devicePixelRatio;
 }
+
+/**
+ * See https://github.com/Microsoft/monaco-editor/issues/601
+ * To protect against malicious code in the linked site, particularly phishing attempts,
+ * the window.opener should be set to null to prevent the linked site from having access
+ * to change the location of the current page.
+ * See https://mathiasbynens.github.io/rel-noopener/
+ */
+export function windowOpenNoOpener(url: string): void {
+	let newTab = window.open();
+	if (newTab) {
+		newTab.opener = null;
+		newTab.location.href = url;
+	}
+}

src/vs/editor/standalone/browser/simpleServices.ts

@@ -139,7 +139,7 @@ export class SimpleEditorService implements IEditorService {
 					let schema = data.resource.scheme;
 					if (schema === Schemas.http || schema === Schemas.https) {
 						// This is a fully qualified http or https URL
-						window.open(data.resource.toString());
+						dom.windowOpenNoOpener(data.resource.toString());
 						return this.editor;
 					}
 				}

src/vs/platform/opener/browser/openerService.ts

@@ -5,6 +5,7 @@
 'use strict';
 
 import URI from 'vs/base/common/uri';
+import * as dom from 'vs/base/browser/dom';
 import { parse } from 'vs/base/common/marshalling';
 import { Schemas } from 'vs/base/common/network';
 import { TPromise } from 'vs/base/common/winjs.base';
@@ -41,7 +42,7 @@ export class OpenerService implements IOpenerService {
 		let promise: TPromise<any>;
 		if (scheme === Schemas.http || scheme === Schemas.https) {
 			// open http
-			window.open(resource.toString(true));
+			dom.windowOpenNoOpener(resource.toString(true));
 
 		} else if (scheme === 'command' && CommandsRegistry.getCommand(path)) {
 			// execute as command