Skip to content

Add noopener, modernize vars, fix favicon logic#212

Open
itz-rj-here wants to merge 1 commit into
prem-k-r:mainfrom
itz-rj-here:patch-4
Open

Add noopener, modernize vars, fix favicon logic#212
itz-rj-here wants to merge 1 commit into
prem-k-r:mainfrom
itz-rj-here:patch-4

Conversation

@itz-rj-here

@itz-rj-here itz-rj-here commented May 14, 2026

Copy link
Copy Markdown
Collaborator

📌 Description

This PR applies security hardening, bug fixes, and code quality improvements across the extension's HTML and JavaScript files:

Security:

  • Added rel="noopener noreferrer" to all 4 external target="_blank" links in index.html to prevent reverse tabnapping attacks, where an opened page could access window.opener and redirect the extension tab.

Bug Fixes:

  • bookmarks.js — Fixed favicon selection logic: the condition !isFirefox || !isOpera was always true (De Morgan's law), so Chrome's _favicon API was incorrectly attempted on Opera and Firefox. Changed to !isFirefox && !isOpera to correctly fall back to Google's favicon service for non-Chromium browsers.
  • search.js — Fixed a memory leak in updateSelection() where mouseenter/mouseleave event listeners were being re-attached to every dropdown item on every keystroke (called from the keydown handler). Listeners are now attached once during initialization, and updateSelection() is focused solely on keyboard navigation state.

Code Quality:

  • Replaced all legacy var declarations with const/let across clock.js (11 occurrences), search.js (2), search-suggestions.js (1), and bookmarks.js (1) to use block scoping and prevent hoisting-related issues.
  • Removed a leftover console.log("Backup completed successfully!") from backup-restore.js that shouldn't be in production code.
  • Minor formatting/semicolon consistency fixes in refactored code.

🎨 Visual Changes (Screenshots / Videos)

No visual changes — all modifications are under-the-hood security, correctness, and performance improvements.

🔗 Related Issues

  • No linked issues — discovered during a codebase audit.

✅ Checklist

  • I have read and followed the Contributing Guidelines.
  • My code follows the project's coding style and conventions.
  • I have tested my changes thoroughly to ensure expected behavior.
  • I have verified compatibility across Chrome and Firefox (additional browsers if applicable).
  • I have attached relevant visual evidence (screenshots/videos) if applicable.
  • I have updated the CHANGELOG.md under the appropriate categories with all my changes in this PR.

🤖 AI Assistance (Coding)

  • None
  • Ideas / planning
  • Debugging / review help
  • Small code snippets
  • Partial implementation
  • Major implementation help
  • Mostly AI-generated
  • Full vibe coded

Security Hardening

Added rel="noopener noreferrer" to four external links with target="_blank" in index.html (Host your own proxy, Privacy policy, Learn more, and Firefox informational link) to prevent reverse tabnapping attacks.

Bug Fixes

bookmarks.js: Fixed favicon selection logic by correcting the condition from !isFirefox || !isOpera (which would always evaluate to true) to !isFirefox && !isOpera. This prevents the Chromium-specific _favicon API from being incorrectly invoked on Firefox and Opera browsers.

search.js: Fixed a memory leak by refactoring dropdown item highlight handling. Mouse event listeners (mouseenter/mouseleave) are now attached once during initialization rather than being repeatedly re-registered. The updateSelection() function now handles only keyboard navigation state and DOM updates without re-attaching event listeners.

Code Modernization

Replaced var declarations with const/let across multiple files for improved block scoping and to avoid hoisting issues:

  • scripts/clock.js: 11 variable declarations (time and date initialization in initializeClock(), updateDate(), and updateanalogclock())
  • scripts/search.js: 2 variable declarations (fallbackUrl and searchUrl)
  • scripts/search-suggestions.js: 1 variable declaration (selectedOption)
  • scripts/bookmarks.js: 1 variable declaration (bookmarksAPI)

Cleanup

Removed leftover debug statement console.log("Backup completed successfully!") from scripts/backup-restore.js.

Review Change Stack

Security and code quality updates across the UI and scripts:

- index.html: Add rel="noopener noreferrer" to external links opened with target="_blank".
- scripts/clock.js, scripts/search-suggestions.js, scripts/search.js, scripts/bookmarks.js: Replace function-scoped var with const/let to modernize code and reduce hoisting-related issues; small formatting/semicolon fixes.
- scripts/bookmarks.js: Fix favicon selection logic to correctly exclude both Firefox and Opera (use && instead of ||) and initialize bookmarksAPI with let.
- scripts/backup-restore.js: Remove noisy console.log after backup completion.
- scripts/search.js: Attach mouseenter/mouseleave handlers to dropdown items once (prevent repeated listener registration) and keep updateSelection focused on keyboard navigation.

These changes improve security, correctness, and performance/readability.
@coderabbitai

coderabbitai Bot commented May 14, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

This PR applies three categories of improvements: security hardening on external links by adding rel="noopener noreferrer", modernizing variable declarations from var to const/let across multiple scripts, and fixing a favicon selection condition and dropdown event handler registration pattern.

Changes

Security, scoping, and logic improvements

Layer / File(s) Summary
External link security hardening
index.html
Four external anchor links ("Host your own proxy", "Privacy policy", "Learn more", and Firefox instructions "this link") are updated to include rel="noopener noreferrer" alongside target="_blank" for window isolation and referrer protection.
Variable scope modernization across scripts
scripts/bookmarks.js, scripts/clock.js, scripts/search-suggestions.js, scripts/search.js
Variable declarations are converted from function-scoped var to block-scoped const and let throughout: bookmarksAPI to let, and multiple time/date components and URL variables to const in clock initialization, date updates, analog clock updates, autocomplete selection, and search fallback/normal path URL construction.
Logic fixes and UI refactoring
scripts/bookmarks.js, scripts/backup-restore.js, scripts/search.js
Favicon selection condition in setBookmarkFavicon corrected from (!isFirefox || !isOpera) to (!isFirefox && !isOpera) to properly target Chromium browsers; success log removed from backupData(); dropdown hover highlighting handlers refactored to attach once to all items instead of re-registering on each updateSelection() call.

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title directly and accurately summarizes the main changes: security hardening (noopener), code modernization (vars to const/let), and bug fixes (favicon logic).
Description check ✅ Passed The description is comprehensive and follows the template structure with all critical sections completed, though two checklist items (cross-browser verification and CHANGELOG update) are unchecked.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@itz-rj-here itz-rj-here added the enhancement New feature or request label May 14, 2026
@itz-rj-here itz-rj-here marked this pull request as ready for review May 14, 2026 12:53

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/search.js`:
- Around line 262-270: The mouseenter handler on dropdownItems currently only
adds the "selected" class to the hovered item, allowing multiple items to remain
selected and breaking lookup by document.querySelector(".selected"); update the
handlers for the dropdownItems loop so that on "mouseenter" you first remove
"selected" from any currently selected item (e.g., document.querySelectorAll or
document.querySelector(".selected") and remove the class) and then add
"selected" to the hovered item, and ensure "mouseleave" still removes the class
from the hovered item; reference the dropdownItems.forEach loop and the
"mouseenter"/"mouseleave" handlers to locate where to change behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b1510df5-a062-465c-9d82-bc3bd4d616e0

📥 Commits

Reviewing files that changed from the base of the PR and between 6db3db4 and 0a5762a.

📒 Files selected for processing (6)
  • index.html
  • scripts/backup-restore.js
  • scripts/bookmarks.js
  • scripts/clock.js
  • scripts/search-suggestions.js
  • scripts/search.js
💤 Files with no reviewable changes (1)
  • scripts/backup-restore.js

Comment thread scripts/search.js
Comment on lines +262 to +270
// Attach mouse hover listeners once (not on every keydown)
dropdownItems.forEach((item) => {
item.addEventListener("mouseenter", () => {
item.classList.add("selected");
});
item.addEventListener("mouseleave", () => {
item.classList.remove("selected");
});
});

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Clear existing .selected before applying mouse hover selection.

Hover now only adds/removes class per item, so multiple dropdown items can stay .selected; Enter may then pick the wrong one via querySelector(".selected").

Suggested fix
 dropdownItems.forEach((item) => {
     item.addEventListener("mouseenter", () => {
+        dropdownItems.forEach((el) => el.classList.remove("selected"));
         item.classList.add("selected");
+        selectedIndex = Array.from(dropdownItems).indexOf(item);
     });
     item.addEventListener("mouseleave", () => {
         item.classList.remove("selected");
     });
 });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/search.js` around lines 262 - 270, The mouseenter handler on
dropdownItems currently only adds the "selected" class to the hovered item,
allowing multiple items to remain selected and breaking lookup by
document.querySelector(".selected"); update the handlers for the dropdownItems
loop so that on "mouseenter" you first remove "selected" from any currently
selected item (e.g., document.querySelectorAll or
document.querySelector(".selected") and remove the class) and then add
"selected" to the hovered item, and ensure "mouseleave" still removes the class
from the hovered item; reference the dropdownItems.forEach loop and the
"mouseenter"/"mouseleave" handlers to locate where to change behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant