Feature #78488
closed
Epic #83559: SEO enhancements in Core
Add rel="noopener noreferrer" to links when target is set to _blank
Added by Markus Hölzle over 7 years ago. Updated over 1 year ago.
100%
Description
Hey there,
is there a solution for the known security issue with which one the websites are vulnerable for phishing with javascripts "window.opener.location"?
To prevent this issue you have to add an attribute rel="noopener noreferrer" to every a-Tag which opens an external link (see https://mathiasbynens.github.io/rel-noopener/).
I tried to insert this attribute to the core in the function "\TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->typoLink()" but there is no possibility to add dynamic attributes to an link.
Is it possible to add a typoscript configuration like "page.config.extTarget" for the "rel" attribute?
The current workaround is to add this attribute with javascript - but I think there should be a solution from the TYPO3 core. What do you think?
Regards,
Markus
Updated by Helmut Hummel over 7 years ago
- Subject changed from Security issue: prevent phishing by adding rel="noopener noreferrer" to links to Add rel="noopener noreferrer" to links when target is set to _blank
Two things here.
- The window.opener.location is only accessible from the link target, when HTML attribute target is set to "_blank" (or any other value opening a new window)
- The issue can only become problematic, for untrusted user generated content.
The first can be mitigated by just not using "_blank" for external links, which is configurable in TYPO3.
For second thing here, the impact is pretty low in a typical CMS scenario, where trusted editors create content for website vistors.
It does not make sense for editors to exploit this, as they can create links that look internal and lead to a malicious website anyway (page type external url), so why taking the detour here.
For frontend user generated content (e.g. comments) I would recommend to disallow creation of any HTML anyway, as letting them inserting links is an issue of its own. And if links are allowed in such case, target _blank should be disallowed.
So I'm really not sure what we could / should fix here in TYPO3
Updated by
Updated by Chris Sy over 7 years ago
I aggree that the risk is low for the most typo3 deployments.
But given the following example:
You're typo3 deployment deliver news to your vistors.
You reference external sites alot.
Maybe oneday one of these external sites get hacked and delivers malicious code.
You cannot know what people deploy with typo3, maybe they use felogin and provide a link exchange service.
There a so much examples and I don't think that it helps to simply say disallow _blank.
Is it a problem to apply "rel="noopener noreferrer" for every `a` tag with target _blank?
Updated by Helmut Hummel over 7 years ago
Maybe oneday one of these external sites get hacked and delivers malicious code.
That is still an unlikely, but absolutely valid scenario. Thanks for that!
Is it a problem to apply "rel="noopener noreferrer" for every `a` tag with target _blank?
It is a challenge, yes. It is very likely that it breaks some use cases where the rel attribute
is already used. So this change will be quite complex, and I would suggest to not introduce this as bugfix in released branches.
But I'm fine of course if somebody wants to dive into this and proposes a change for master.
Just be aware, that at the RTE has an interface to add a rel attribute
and it is also possible to provide a rel attribute to the typolink function
and that there are hooks, that might add attributes (e.g. a rel attribute)
So finding an appropriate place where to put that code that changes the rel attribute would be required as first step.
The it needs to be evaluated what needs to be done if a rel attribute is already present.
Updated by Wouter Wolters over 6 years ago
- Has duplicate Feature #82055: Add noopener behavior to external links added
Updated by Alexander Opitz over 6 years ago
Informations about this can also be found on https://developers.google.com/web/tools/lighthouse/audits/noopener
Updated by Tymoteusz Motylewski about 6 years ago
- Tracker changed from Bug to Feature
- Parent task set to #83559
Updated by Gerrit Code Review over 5 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194
Updated by Gerrit Code Review about 5 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194
Updated by Gerrit Code Review about 5 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194
Updated by Gerrit Code Review about 5 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/59194
Updated by Gerrit Code Review almost 5 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194
Updated by Georg Ringer almost 5 years ago
I started to have this as extension https://github.com/georgringer/noopener for 8+9
Updated by Patrick Lenk almost 5 years ago
Georg Ringer wrote:
I started to have this as extension https://github.com/georgringer/noopener for 8+9
Nice, works so far for content. Do you use it in production and could you provide a (beta) release on packagist? Thanks
Updated by Gerrit Code Review over 4 years ago
Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194
Updated by Gerrit Code Review over 4 years ago
Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194
Updated by Gerrit Code Review over 4 years ago
Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194
Updated by Gerrit Code Review over 4 years ago
Patch set 9 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194
Updated by Gerrit Code Review over 4 years ago
Patch set 10 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194
Updated by Gerrit Code Review over 4 years ago
Patch set 11 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194
Updated by Daniel Siepmann over 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 523875cf497e9140c13ee18afa24d723718317b1.
Updated by
Updated by Oliver Hader over 4 years ago
- Related to Task #89347: Provide strong defaults for anchor noreferred/noopener attribute added
Updated by Christian Eßl over 4 years ago
- Related to Bug #89338: Links such as tel: ... in content elements cause an error added
Updated by Daniel Goerz over 4 years ago
- Related to Bug #89757: Fix noopener noreferrer issue added
Updated by Jonas Eberle over 4 years ago
- Related to Bug #89771: rel="noreferer" should be set for all new windows, not just _blank added
Updated by Oliver Hader over 2 years ago
- Related to Bug #95051: rel="noreferrer" is not set by cross site links added
Updated by Simon Schaufelberger over 1 year ago
- Related to Task #96379: [FEATURE] Add rel="noopener noreferrer" to all f:link.external links added
Updated by Martin Weymayer over 1 year ago
This feature should be make "optional", because there are many cases where you need referrer for ex. tracking.