From 2a8118fb4417133c31570b328b22211db1a00f13 Mon Sep 17 00:00:00 2001
From: Dan Ungureanu <dan@ungureanu.me>
Date: Thu, 25 Apr 2019 00:34:59 +0300
Subject: [PATCH] SECURITY: Fix tab nabbing.

---
 app/assets/javascripts/discourse/lib/click-track.js.es6 | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/discourse/lib/click-track.js.es6 b/app/assets/javascripts/discourse/lib/click-track.js.es6
index 1da282ba48..63b29e65d1 100644
--- a/app/assets/javascripts/discourse/lib/click-track.js.es6
+++ b/app/assets/javascripts/discourse/lib/click-track.js.es6
@@ -157,7 +157,9 @@ export default {
         });
       }
       if (openWindow) {
-        window.open(destUrl, "_blank").focus();
+        const newWindow = window.open(destUrl, "_blank");
+        newWindow.opener = null;
+        newWindow.focus();
       } else {
         DiscourseURL.routeTo(href);
       }
@@ -165,7 +167,9 @@ export default {
     }
 
     if (openWindow) {
-      window.open(destUrl, "_blank").focus();
+      const newWindow = window.open(destUrl, "_blank");
+      newWindow.opener = null;
+      newWindow.focus();
     } else {
       DiscourseURL.redirectTo(destUrl);
     }