Bug #78507

Links set to target="_blank" without rel="noopener" are vulnerable to reverse tabnabbing attacks

Added by Phil Rezo about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Frontend
Target version:
-
Start date:
2016-10-30
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Vulnerability details
Opened windows through hrefs with target="_blank" can modify window.opener.location and replace the parent webpage with something else, even on different origin (bypassing same origin policy).

The lack of rel="noopener noreferrer" attribute can allow phising attacks to silently change the URL of source tab using window.opener.location.assign and trick the user into entering private information or credentials in the malicious copy as if it was still a trusted page.

External Reference

Suggested fix
Is it possible to add a TypoScript defined condition that would append something like ATagParams = rel="noopener noreferrer" on all hrefs set to target _blank, or class external-link-new-window, through the RTE link wizard?

Or this simple fix in typo3_src-7.6.11/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php appends rel="noopener noreferrer" to every hrefs that has been set to target _blank.

@@ -1859,6 +1859,7 @@
                 $a1 = '<a href="' . htmlspecialchars($url) . '"'
                     . ' onclick="' . htmlspecialchars($onClick) . '"'
                     . ($target !== '' ? ' target="' . htmlspecialchars($target) . '"' : '')
+                    . ($target === '_blank' ? ' rel="noopener noreferrer"' : '')
                     . $this->getTypoScriptFrontendController()->ATagParams . '>';
                 $a2 = '</a>';
                 $this->getTypoScriptFrontendController()->setJS('openPic');
@@ -5629,6 +5630,7 @@

                     $res = '<a href="' . htmlspecialchars($linkUrl) . '"'
                         . ($target !== '' ? ' target="' . htmlspecialchars($target) . '"' : '')
+                        . ($target === '_blank' ? ' rel="noopener noreferrer"' : '')
                         . $aTagParams . $this->extLinkATagParams(('http://' . $parts[0]), 'url') . '>';

                     $wrap = isset($conf['wrap.']) ? $this->stdWrap($conf['wrap'], $conf['wrap.']) : $conf['wrap'];
@@ -6504,6 +6506,7 @@
                 $this->lastTypoLinkTarget = $target;
                 $finalTagParts['url'] = $this->lastTypoLinkUrl;
                 $finalTagParts['targetParams'] = $target ? ' target="' . htmlspecialchars($target) . '"' : '';
+                $finalTagParts['targetParams'] .= $target === '_blank' ? ' rel="noopener noreferrer"' : '';
                 $finalTagParts['aTagParams'] .= $this->extLinkATagParams($finalTagParts['url'], $linkType);
             break;

@@ -6530,6 +6533,7 @@
                     $this->lastTypoLinkTarget = $target;
                     $finalTagParts['url'] = $this->lastTypoLinkUrl;
                     $finalTagParts['targetParams'] = $target ? ' target="' . htmlspecialchars($target) . '"' : '';
+                    $finalTagParts['targetParams'] .= $target === '_blank' ? ' rel="noopener noreferrer"' : '';
                     $finalTagParts['aTagParams'] .= $this->extLinkATagParams($finalTagParts['url'], $linkType);
                 } else {
                     $this->getTimeTracker()->setTSlogMessage('typolink(): File "' . $splitLinkParam[0] . '" did not exist, so "' . $linktxt . '" was not linked.', 1);
@@ -6773,6 +6777,7 @@
                     // Rendering the tag.
                     $finalTagParts['url'] = $this->lastTypoLinkUrl;
                     $finalTagParts['targetParams'] = (string)$LD['target'] !== '' ? ' target="' . htmlspecialchars($LD['target']) . '"' : '';
+                    $finalTagParts['targetParams'] .= (string)$LD['target'] === '_blank' ? ' rel="noopener noreferrer"' : '';
                 } else {
                     $this->getTimeTracker()->setTSlogMessage('typolink(): Page id "' . $linkParameter . '" was not found, so "' . $linktxt . '" was not linked.', 1);
                     return $linktxt;

Related issues

Is duplicate of TYPO3 Core - Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blankClosed2016-10-28

Actions
#1

Updated by Riccardo De Contardi about 4 years ago

  • Status changed from New to Closed

I close this one as duplicate of #78488 please continue the discussion there. Thank you.

If you think that this is the wrong decision, please reopen it or open a new issue with a reference to this one. Thank you.

Also available in: Atom PDF