fix: add noreferrer to external markdown links to prevent 403 errors (#7360)

mscolnick · web-flow · commit 7c8070aa6249 · 2025-12-01T12:19:32.000-05:00
## Summary Fixes #7350 by adding `noreferrer` to the `rel` attribute of external links in markdown cells. This prevents the browser from sending the `Referer` header when clicking links, which was causing some websites (like ScienceDirect) to return 403 errors when detecting `localhost` as the referrer.
diff --git a/frontend/src/plugins/core/__test__/sanitize.test.ts b/frontend/src/plugins/core/__test__/sanitize.test.ts
@@ -64,7 +64,7 @@ describe("sanitizeHtml", () => {
   test("preserves safe anchor with target=_blank", () => {
     const html = '<a href="https://example.com" target="_blank">Link</a>';
     expect(sanitizeHtml(html)).toMatchInlineSnapshot(
-      `"<a href="https://example.com" target="_blank" rel="noopener">Link</a>"`,
+      `"<a href="https://example.com" target="_blank" rel="noopener noreferrer">Link</a>"`,
     );
   });
 
diff --git a/frontend/src/plugins/core/sanitize.ts b/frontend/src/plugins/core/sanitize.ts
@@ -62,7 +62,7 @@ DOMPurify.addHook("afterSanitizeAttributes", (node) => {
     node.setAttribute("target", node.getAttribute(TEMPORARY_ATTRIBUTE) || "");
     node.removeAttribute(TEMPORARY_ATTRIBUTE);
     if (node.getAttribute("target") === "_blank") {
-      node.setAttribute("rel", "noopener");
+      node.setAttribute("rel", "noopener noreferrer");
     }
   }
 });
diff --git a/marimo/_output/md_extensions/external_links.py b/marimo/_output/md_extensions/external_links.py
@@ -28,7 +28,7 @@ def run(self, root: Element) -> None:
 
             if parsed_url.scheme in ["http", "https"]:
                 element.set("target", "_blank")
-                element.set("rel", "noopener")
+                element.set("rel", "noopener noreferrer")
 
 
 class ExternalLinksExtension(Extension):  # type: ignore[misc]
diff --git a/tests/_output/test_md.py b/tests/_output/test_md.py
@@ -73,7 +73,7 @@ def test_md_latex() -> None:
 def test_md_links() -> None:
     # Test external link conversion
     link_input = "[Google](https://google.com)"
-    expected_output = '<span class="paragraph"><a href="https://google.com" rel="noopener" target="_blank">Google</a></span>'  # noqa: E501
+    expected_output = '<span class="paragraph"><a href="https://google.com" rel="noopener noreferrer" target="_blank">Google</a></span>'  # noqa: E501
     assert _md(link_input, apply_markdown_class=False).text == (
         expected_output
     )

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ DOMPurify.addHook("afterSanitizeAttributes", (node) => {`
`62`	`62`	`node.setAttribute("target", node.getAttribute(TEMPORARY_ATTRIBUTE) \|\| "");`
`63`	`63`	`node.removeAttribute(TEMPORARY_ATTRIBUTE);`
`64`	`64`	`if (node.getAttribute("target") === "_blank") {`
`65`		`- node.setAttribute("rel", "noopener");`
	`65`	`+ node.setAttribute("rel", "noopener noreferrer");`
`66`	`66`	`}`
`67`	`67`	`}`
`68`	`68`	`});`
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ def test_md_latex() -> None:`
`73`	`73`	`def test_md_links() -> None:`
`74`	`74`	`# Test external link conversion`
`75`	`75`	`link_input = "[Google](https://google.com)"`
`76`		`- expected_output = '<span class="paragraph"><a href="https://google.com" rel="noopener" target="_blank">Google</a></span>' # noqa: E501`
	`76`	`+ expected_output = '<span class="paragraph"><a href="https://google.com" rel="noopener noreferrer" target="_blank">Google</a></span>' # noqa: E501`
`77`	`77`	`assert _md(link_input, apply_markdown_class=False).text == (`
`78`	`78`	`expected_output`
`79`	`79`	`)`