UI: tighten external image-open safety checks and CI guard

[shakkernerd]

Summary

• Problem: chat image open policy allowed data:image/svg+xml payloads and we had no CI check to prevent new raw window.open callsites outside the shared helper.
• Why it matters: data:image/svg+xml should be blocked at this boundary, and policy drift is easy without automated enforcement.
• What changed:
  • Block data:image/svg+xml in resolveSafeExternalUrl (including encoded variants) while keeping allowed schemes the same for safe cases.
  • Keep opener isolation when opening new tabs and add focused tests for SVG denial and opener nulling.
  • Add CI step pnpm lint:ui:no-raw-window-open in the check job.
  • Update changelog wording for this area with both related PR references/authors in one entry.
• What did NOT change (scope boundary): no change to allowed http:, https:, blob: and raster data:image/* behavior.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related fix(ui): prevent tabnabbing in chat images #18685
• Related ui: centralize safe external URL opening for chat images #25444

User-visible / Behavior Changes

• Control UI chat-image opens now reject data:image/svg+xml payloads explicitly.
• Existing safe URL behavior remains intact (http/https/blob and allowed raster data URLs).

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22 + pnpm
• Model/provider: N/A
• Integration/channel (if any): Control UI
• Relevant config (redacted): default local dev config

Steps

1. Run pnpm check.
2. Run pnpm lint:ui:no-raw-window-open.
3. Run pnpm --dir ui exec vitest run --config vitest.config.ts --browser.enabled=false src/ui/open-external-url.test.ts.

Expected

• All commands pass and the SVG-base64 policy test is enforced.

Actual

• Passed locally.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • Safe helper still allows supported URL schemes.
  • data:image/svg+xml and base64 form are rejected.
  • CI guard command succeeds and catches only non-helper raw opens.
• Edge cases checked:
  • Base64-encoded SVG payload rejection in unit tests.
  • Opener-null fallback path still covered.
• What you did not verify:
  • Full browser-mode Vitest in this environment (Playwright binary missing locally).

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly:
  • Revert this PR commits from main.
• Files/config to restore:
  • ui/src/ui/open-external-url.ts
  • ui/src/ui/open-external-url.test.ts
  • ui/src/ui/views/chat-image-open.browser.test.ts
  • .github/workflows/ci.yml
  • CHANGELOG.md
• Known bad symptoms reviewers should watch for:
  • Unexpected block of safe image URLs in chat click-open flow.

Risks and Mitigations

• Risk:
  • Over-blocking legitimate data-image URLs.
  • Mitigation:
    • Policy explicitly blocks SVG only; raster data-image coverage remains and is tested.

Greptile Summary

This PR adds security hardening to prevent data:image/svg+xml payloads from being opened in chat image clicks and introduces CI enforcement to prevent new raw window.open callsites outside the safe helper.

• Blocks SVG data URLs (both plain and base64-encoded) in resolveSafeExternalUrl while keeping http:, https:, blob:, and raster data images allowed
• Adds comprehensive unit tests for SVG blocking and opener isolation
• Introduces CI check pnpm lint:ui:no-raw-window-open to enforce policy that all window.open calls must go through the safe helper
• Updates changelog to credit both contributors for related chat-image security work
• All existing safe URL behavior (http/https/blob and raster data images) remains unchanged

Confidence Score: 5/5

• This PR is safe to merge with no identified risks
• The changes are well-scoped security improvements with comprehensive test coverage. The SVG blocking logic is straightforward and correctly handles both plain and base64-encoded variants. The CI enforcement prevents policy drift. All existing safe URL behaviors are preserved and tested.
• No files require special attention

_{Last reviewed commit: aeb96a5}

[shakkernerd]

Landed via temp rebase onto main.

• Land commit: 10a740b
• Merge commit: 853f755

Thanks @shakkernerd!