Scan: Replace inline onclick with target="_blank" for CSP compliance

[gmjuhasz]

Fixes JETPACK-1146
Fixes #46304

Proposed changes:

• Replace inline onclick="window.open( this.href ); return false;" with target="_blank" in the Scan admin bar notice.

Why this works:

The original inline onclick handler was used to open the external Calypso scanner URL in a new tab. However, inline event handlers violate Content Security Policy (CSP) because they require unsafe-inline in the script-src directive.

The HTML target="_blank" attribute achieves the same behavior natively, both result in: user clicks → link opens in new tab. The HTML approach is CSP-compliant and works without JavaScript.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

N/A - Security/CSP compliance fix

Does this pull request change what data or activity we track or use?

No

Testing instructions:

1. Deactivate the Protect plugin if active (it has its own admin bar notice and will prevent Scan's notice from showing)

2. Add this snippet to tools/docker/mu-plugins/0-snippets.php to simulate threat detection:

   // Test JETPACK-1146: Fake scan threats for admin bar notice testing.
   add_action(
       'init',
       function () {
           $fake_scan_state = (object) array(
               'threats' => array( (object) array( 'id' => 1, 'name' => 'Test threat' ) ),
           );
           set_transient( 'jetpack_scan_state', $fake_scan_state );
       }
   );

3. Visit any wp-admin page

4. Look for the red shield icon with "Threat found" in the admin bar (top right)

6. Inspect the HTML element and verify:

   • ✅ target="_blank" is present on the link
   • ✅ No onclick attribute exists

7. Click the link and verify it opens in a new tab

8. Remove the test snippet after testing

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the JETPACK-1146 branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack JETPACK-1146

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

---

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

• WordPress.com Simple releases happen as soon as you deploy your changes after merging this PR (PCYsg-Jjm-p2).
• WoA releases happen weekly.
• Releases to self-hosted sites happen monthly:
  • Scheduled release: January 6, 2026

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[Copilot]

Pull request overview

This PR improves Content Security Policy (CSP) compliance in the Jetpack Scan module by replacing an inline onclick event handler with the native HTML target="_blank" attribute. The change removes the CSP violation while maintaining the same user experience of opening the Calypso scanner URL in a new tab when threats are detected.

Key Changes:

• Removed inline onclick="window.open( this.href ); return false;" handler from the admin bar notice
• Replaced with declarative target="_blank" attribute for CSP-compliant behavior
• Maintained consistent code formatting with proper alignment

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
projects/plugins/jetpack/modules/scan/class-admin-bar-notice.php	Replaced inline onclick handler with target="_blank" in the admin bar node configuration
projects/plugins/jetpack/changelog/JETPACK-1146	Added changelog entry documenting the CSP compliance bugfix

Comments suppressed due to low confidence (1)

projects/plugins/jetpack/modules/scan/class-admin-bar-notice.php:179

• When using target="_blank", it's a security best practice to also include rel="noopener noreferrer" to prevent the new page from accessing window.opener and to prevent referrer leakage. This pattern is consistently used throughout the Jetpack codebase for external links. Consider adding $node['meta']['rel'] = 'noopener noreferrer'; alongside the target attribute.

			$node['meta']['target'] = '_blank';

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 1 file.

File	Coverage	Δ%	Δ Uncovered
projects/plugins/jetpack/modules/scan/class-admin-bar-notice.php	0/91 (0.00%)	0.00%	1 ❤️‍🩹

Full summary · PHP report · JS report