fix(ui): prevent tabnabbing in chat images

[Mariana-Codebase]

Summary

• Problem: opening chat images with window.open allows tabnabbing via window.opener.
• Why it matters: an external tab can redirect or manipulate the original app (phishing).
• What changed: use noopener,noreferrer and force opener = null.
• What did NOT change (scope boundary): no changes to image rendering or loading.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #

User-visible / Behavior Changes

• Opening chat images now opens a new tab without access to window.opener.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: Windows 10
• Runtime/container: N/A
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): N/A

Steps

1. Open a chat image.
2. Verify the opened tab has no access to window.opener.

Expected

• window.opener is null in the opened tab.

Actual

• window.opener is null in the opened tab.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: clicking a chat image opens a new tab without opener.
• Edge cases checked: N/A
• What you did not verify: other browsers.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert commit.
• Files/config to restore: ui/src/ui/chat/grouped-render.ts
• Known bad symptoms reviewers should watch for: N/A

Risks and Mitigations

• Risk: None.
  • Mitigation: N/A

Greptile Summary

Adds tabnabbing protection to the chat image click handler in grouped-render.ts. The previous window.open(url, "_blank") call gave the opened tab access to window.opener, which could be exploited for phishing by redirecting or manipulating the original app tab. The fix passes noopener,noreferrer as window features and adds a fallback opener = null assignment for defense-in-depth in older browsers.

• Extracts image-open logic into a dedicated openImage helper with security hardening
• No functional or rendering changes; only the security posture of the new-tab open is affected
• The change is minimal, scoped, and follows standard browser security best practices

Confidence Score: 5/5

• This PR is safe to merge — it applies a standard, well-understood browser security pattern with no behavioral side effects.
• The change is a single-file, minimal security hardening that adds noopener,noreferrer to a window.open call. It introduces no new logic, no new dependencies, and no behavioral changes beyond removing the opener reference. The pattern is standard and widely recommended by OWASP and browser security guidelines.
• No files require special attention.

_{Last reviewed commit: 4ee26ff}

_{(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!}

[shakkernerd]

Landed iin main:

• Pushed commit a42f6f25d to the PR head branch.
• Merged this PR as squash into main.

Merge commit: 649d141527488281e75d9f67e380ee522426817b

Thanks @Mariana-Codebase!