Project

General

Profile

Actions

Feature #78488

closed

Epic #83559: SEO enhancements in Core

Add rel="noopener noreferrer" to links when target is set to _blank

Added by Markus Hölzle over 7 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2016-10-28
Due date:
% Done:

100%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Hey there,

is there a solution for the known security issue with which one the websites are vulnerable for phishing with javascripts "window.opener.location"?
To prevent this issue you have to add an attribute rel="noopener noreferrer" to every a-Tag which opens an external link (see https://mathiasbynens.github.io/rel-noopener/).

I tried to insert this attribute to the core in the function "\TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->typoLink()" but there is no possibility to add dynamic attributes to an link.

Is it possible to add a typoscript configuration like "page.config.extTarget" for the "rel" attribute?

The current workaround is to add this attribute with javascript - but I think there should be a solution from the TYPO3 core. What do you think?

Regards,
Markus


Related issues 10 (2 open8 closed)

Related to TYPO3 Core - Feature #34288: Typolink should allow rel attributeClosed2012-02-26

Actions
Related to TYPO3 Core - Feature #5341: Page's "target" field inprovmentsClosed2009-11-12

Actions
Related to TYPO3 Core - Task #89347: Provide strong defaults for anchor noreferred/noopener attributeNew2019-10-04

Actions
Related to TYPO3 Core - Bug #89338: Links such as tel: ... in content elements cause an errorClosed2019-10-03

Actions
Related to TYPO3 Core - Bug #89757: Fix noopener noreferrer issueClosedBenni Mack2019-11-23

Actions
Related to TYPO3 Core - Bug #89771: rel="noreferer" should be set for all new windows, not just _blankClosed2019-11-25

Actions
Related to TYPO3 Core - Bug #95051: rel="noreferrer" is not set by cross site linksUnder Review2021-08-31

Actions
Related to TYPO3 Core - Task #96379: [FEATURE] Add rel="noopener noreferrer" to all f:link.external linksRejected2021-12-17

Actions
Has duplicate TYPO3 Core - Bug #78507: Links set to target="_blank" without rel="noopener" are vulnerable to reverse tabnabbing attacksClosed2016-10-30

Actions
Has duplicate TYPO3 Core - Feature #82055: Add noopener behavior to external linksClosed2017-08-07

Actions
Actions #1

Updated by Helmut Hummel over 7 years ago

  • Assignee deleted (Helmut Hummel)
Actions #2

Updated by Helmut Hummel over 7 years ago

  • Subject changed from Security issue: prevent phishing by adding rel="noopener noreferrer" to links to Add rel="noopener noreferrer" to links when target is set to _blank

Two things here.

  1. The window.opener.location is only accessible from the link target, when HTML attribute target is set to "_blank" (or any other value opening a new window)
  2. The issue can only become problematic, for untrusted user generated content.

The first can be mitigated by just not using "_blank" for external links, which is configurable in TYPO3.
For second thing here, the impact is pretty low in a typical CMS scenario, where trusted editors create content for website vistors.
It does not make sense for editors to exploit this, as they can create links that look internal and lead to a malicious website anyway (page type external url), so why taking the detour here.

For frontend user generated content (e.g. comments) I would recommend to disallow creation of any HTML anyway, as letting them inserting links is an issue of its own. And if links are allowed in such case, target _blank should be disallowed.

So I'm really not sure what we could / should fix here in TYPO3

Actions #3

Updated by Riccardo De Contardi over 7 years ago

some suggestions on #78507

Actions #4

Updated by Chris Sy over 7 years ago

I aggree that the risk is low for the most typo3 deployments.

But given the following example:

You're typo3 deployment deliver news to your vistors.
You reference external sites alot.
Maybe oneday one of these external sites get hacked and delivers malicious code.

You cannot know what people deploy with typo3, maybe they use felogin and provide a link exchange service.

There a so much examples and I don't think that it helps to simply say disallow _blank.

Is it a problem to apply "rel="noopener noreferrer" for every `a` tag with target _blank?

Actions #5

Updated by Helmut Hummel over 7 years ago

Maybe oneday one of these external sites get hacked and delivers malicious code.

That is still an unlikely, but absolutely valid scenario. Thanks for that!

Is it a problem to apply "rel="noopener noreferrer" for every `a` tag with target _blank?

It is a challenge, yes. It is very likely that it breaks some use cases where the rel attribute
is already used. So this change will be quite complex, and I would suggest to not introduce this as bugfix in released branches.

But I'm fine of course if somebody wants to dive into this and proposes a change for master.

Just be aware, that at the RTE has an interface to add a rel attribute
and it is also possible to provide a rel attribute to the typolink function
and that there are hooks, that might add attributes (e.g. a rel attribute)
So finding an appropriate place where to put that code that changes the rel attribute would be required as first step.
The it needs to be evaluated what needs to be done if a rel attribute is already present.

Actions #6

Updated by Wouter Wolters over 6 years ago

  • Has duplicate Feature #82055: Add noopener behavior to external links added
Actions #7

Updated by Alexander Opitz over 6 years ago

Informations about this can also be found on https://developers.google.com/web/tools/lighthouse/audits/noopener

Actions #8

Updated by Tymoteusz Motylewski about 6 years ago

  • Tracker changed from Bug to Feature
  • Parent task set to #83559
Actions #9

Updated by Gerrit Code Review over 5 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194

Actions #10

Updated by Gerrit Code Review about 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194

Actions #11

Updated by Gerrit Code Review about 5 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194

Actions #12

Updated by Gerrit Code Review about 5 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194

Actions #13

Updated by Gerrit Code Review over 4 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

Actions #14

Updated by Georg Ringer over 4 years ago

I started to have this as extension https://github.com/georgringer/noopener for 8+9

Actions #15

Updated by Patrick Lenk over 4 years ago

Georg Ringer wrote:

I started to have this as extension https://github.com/georgringer/noopener for 8+9

Nice, works so far for content. Do you use it in production and could you provide a (beta) release on packagist? Thanks

Actions #16

Updated by Gerrit Code Review over 4 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

Actions #17

Updated by Gerrit Code Review over 4 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

Actions #18

Updated by Gerrit Code Review over 4 years ago

Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

Actions #19

Updated by Gerrit Code Review over 4 years ago

Patch set 9 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

Actions #20

Updated by Gerrit Code Review over 4 years ago

Patch set 10 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

Actions #21

Updated by Gerrit Code Review over 4 years ago

Patch set 11 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

Actions #22

Updated by Daniel Siepmann over 4 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #23

Updated by Benni Mack over 4 years ago

  • Status changed from Resolved to Closed
Actions #24

Updated by Oliver Hader over 4 years ago

  • Related to Task #89347: Provide strong defaults for anchor noreferred/noopener attribute added
Actions #25

Updated by Christian Eßl over 4 years ago

  • Related to Bug #89338: Links such as tel: ... in content elements cause an error added
Actions #26

Updated by Daniel Goerz over 4 years ago

  • Related to Bug #89757: Fix noopener noreferrer issue added
Actions #27

Updated by Jonas Eberle over 4 years ago

  • Related to Bug #89771: rel="noreferer" should be set for all new windows, not just _blank added
Actions #28

Updated by Oliver Hader over 2 years ago

  • Related to Bug #95051: rel="noreferrer" is not set by cross site links added
Actions #29

Updated by Simon Schaufelberger over 1 year ago

  • Related to Task #96379: [FEATURE] Add rel="noopener noreferrer" to all f:link.external links added
Actions #30

Updated by Martin Weymayer over 1 year ago

This feature should be make "optional", because there are many cases where you need referrer for ex. tracking.

Actions

Also available in: Atom PDF