Feature #78488

Epic #83559: SEO enhancements in Core

Add rel="noopener noreferrer" to links when target is set to _blank

Added by Markus Hölzle almost 3 years ago. Updated 25 days ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2016-10-28
Due date:
% Done:

100%

PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Hey there,

is there a solution for the known security issue with which one the websites are vulnerable for phishing with javascripts "window.opener.location"?
To prevent this issue you have to add an attribute rel="noopener noreferrer" to every a-Tag which opens an external link (see https://mathiasbynens.github.io/rel-noopener/).

I tried to insert this attribute to the core in the function "\TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->typoLink()" but there is no possibility to add dynamic attributes to an link.

Is it possible to add a typoscript configuration like "page.config.extTarget" for the "rel" attribute?

The current workaround is to add this attribute with javascript - but I think there should be a solution from the TYPO3 core. What do you think?

Regards,
Markus


Related issues

Related to TYPO3 Core - Feature #34288: Typolink should allow rel attribute Closed 2012-02-26
Related to TYPO3 Core - Feature #5341: Page's "target" field inprovments Closed 2009-11-12
Related to TYPO3 Core - Task #89347: Provide strong defaults for anchor noreferred/noopener attribute New 2019-10-04
Related to TYPO3 Core - Bug #89338: Links such as tel: ... in content elements cause an error Under Review 2019-10-03
Duplicated by TYPO3 Core - Bug #78507: Links set to target="_blank" without rel="noopener" are vulnerable to reverse tabnabbing attacks Closed 2016-10-30
Duplicated by TYPO3 Core - Feature #82055: Add noopener behavior to external links Closed 2017-08-07

Associated revisions

Revision 523875cf (diff)
Added by Daniel Siepmann 3 months ago

[FEATURE] Add noopener and noreferrer to external target blank links

All links processed by TypoLink now will add rel="noopener noreferrer"
if necessary.
They are only added for target="_blank" and external hosts.

Resolves: #78488
Releases: master
Change-Id: I24f6a7756e7905ed641e193aff5d1d94375233c0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194
Tested-by: Georg Ringer <>
Tested-by: TYPO3com <>
Tested-by: Anja Leichsenring <>
Reviewed-by: Georg Ringer <>
Reviewed-by: Anja Leichsenring <>

History

#1 Updated by Helmut Hummel almost 3 years ago

  • Assignee deleted (Helmut Hummel)

#2 Updated by Helmut Hummel almost 3 years ago

  • Subject changed from Security issue: prevent phishing by adding rel="noopener noreferrer" to links to Add rel="noopener noreferrer" to links when target is set to _blank

Two things here.

  1. The window.opener.location is only accessible from the link target, when HTML attribute target is set to "_blank" (or any other value opening a new window)
  2. The issue can only become problematic, for untrusted user generated content.

The first can be mitigated by just not using "_blank" for external links, which is configurable in TYPO3.
For second thing here, the impact is pretty low in a typical CMS scenario, where trusted editors create content for website vistors.
It does not make sense for editors to exploit this, as they can create links that look internal and lead to a malicious website anyway (page type external url), so why taking the detour here.

For frontend user generated content (e.g. comments) I would recommend to disallow creation of any HTML anyway, as letting them inserting links is an issue of its own. And if links are allowed in such case, target _blank should be disallowed.

So I'm really not sure what we could / should fix here in TYPO3

#3 Updated by Riccardo De Contardi almost 3 years ago

some suggestions on #78507

#4 Updated by Chris Sy almost 3 years ago

I aggree that the risk is low for the most typo3 deployments.

But given the following example:

You're typo3 deployment deliver news to your vistors.
You reference external sites alot.
Maybe oneday one of these external sites get hacked and delivers malicious code.

You cannot know what people deploy with typo3, maybe they use felogin and provide a link exchange service.

There a so much examples and I don't think that it helps to simply say disallow _blank.

Is it a problem to apply "rel="noopener noreferrer" for every `a` tag with target _blank?

#5 Updated by Helmut Hummel almost 3 years ago

Maybe oneday one of these external sites get hacked and delivers malicious code.

That is still an unlikely, but absolutely valid scenario. Thanks for that!

Is it a problem to apply "rel="noopener noreferrer" for every `a` tag with target _blank?

It is a challenge, yes. It is very likely that it breaks some use cases where the rel attribute
is already used. So this change will be quite complex, and I would suggest to not introduce this as bugfix in released branches.

But I'm fine of course if somebody wants to dive into this and proposes a change for master.

Just be aware, that at the RTE has an interface to add a rel attribute
and it is also possible to provide a rel attribute to the typolink function
and that there are hooks, that might add attributes (e.g. a rel attribute)
So finding an appropriate place where to put that code that changes the rel attribute would be required as first step.
The it needs to be evaluated what needs to be done if a rel attribute is already present.

#6 Updated by Wouter Wolters about 2 years ago

  • Duplicated by Feature #82055: Add noopener behavior to external links added

#7 Updated by Alexander Opitz almost 2 years ago

Informations about this can also be found on https://developers.google.com/web/tools/lighthouse/audits/noopener

#8 Updated by Tymoteusz Motylewski over 1 year ago

  • Tracker changed from Bug to Feature
  • Parent task set to #83559

#9 Updated by Gerrit Code Review 10 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194

#10 Updated by Gerrit Code Review 9 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194

#11 Updated by Gerrit Code Review 9 months ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194

#12 Updated by Gerrit Code Review 9 months ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194

#13 Updated by Gerrit Code Review 3 months ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

#14 Updated by Georg Ringer 3 months ago

I started to have this as extension https://github.com/georgringer/noopener for 8+9

#15 Updated by Patrick no-lastname-given 3 months ago

Georg Ringer wrote:

I started to have this as extension https://github.com/georgringer/noopener for 8+9

Nice, works so far for content. Do you use it in production and could you provide a (beta) release on packagist? Thanks

#16 Updated by Gerrit Code Review 3 months ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

#17 Updated by Gerrit Code Review 3 months ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

#18 Updated by Gerrit Code Review 3 months ago

Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

#19 Updated by Gerrit Code Review 3 months ago

Patch set 9 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

#20 Updated by Gerrit Code Review 3 months ago

Patch set 10 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

#21 Updated by Gerrit Code Review 3 months ago

Patch set 11 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

#22 Updated by Daniel Siepmann 3 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#23 Updated by Benni Mack 25 days ago

  • Status changed from Resolved to Closed

#24 Updated by Oliver Hader 15 days ago

  • Related to Task #89347: Provide strong defaults for anchor noreferred/noopener attribute added

#25 Updated by Christian Eßl 15 days ago

  • Related to Bug #89338: Links such as tel: ... in content elements cause an error added

Also available in: Atom PDF