Bug #89044

Links in the TYPO3 backend and install tool should have set rel="noopener noreferrer" for external links

Added by Frank Naegler 5 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Install Tool
Target version:
-
Start date:
2019-08-29
Due date:
% Done:

100%

TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Some links in the backend and install tool with target _blank (external links) have no rel="noopener noreferrer" set, this should be changed.

See here why: https://developers.google.com/web/tools/lighthouse/audits/noopener

When you open another page using target="_blank", the other page may run on the same process as your page, unless Site Isolation is enabled. If the other page is running a lot of JavaScript, your page's performance may also suffer. See The Performance Benefits of rel=noopener.
The other page can access your window object with the window.opener property. This exposes an attack surface because the other page can potentially redirect your page to a malicious URL. See About rel=noopener.


Related issues

Related to TYPO3 Core - Bug #89757: Fix noopener noreferrer issue Closed 2019-11-23
Related to TYPO3 Core - Bug #89771: rel="noreferer" should be set for all new windows, not just _blank Resolved 2019-11-25

Associated revisions

Revision 980996b4 (diff)
Added by Frank Naegler 5 months ago

[BUGFIX] Set rel="noopener noreferrer" for external links

This patch adds rel="noopener noreferrer" for external links in
backend and install tool for security reasons.
If this is not set, the other page can access the window object
with the window.opener property.

Resolves: #89044
Releases: master, 9.5, 8.7
Change-Id: Ib3ceaf87ad0541cc8603ef0d02c95e0b4ef43d4e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61577
Tested-by: TYPO3com <>
Tested-by: Guido Schmechel <>
Tested-by: Andreas Fernandez <>
Reviewed-by: Guido Schmechel <>
Reviewed-by: Andreas Fernandez <>

Revision 0a0f753a (diff)
Added by Frank Naegler 5 months ago

[BUGFIX] Set rel="noopener noreferrer" for external links

This patch adds rel="noopener noreferrer" for external links in
backend and install tool for security reasons.
If this is not set, the other page can access the window object
with the window.opener property.

Resolves: #89044
Releases: master, 9.5, 8.7
Change-Id: Ib3ceaf87ad0541cc8603ef0d02c95e0b4ef43d4e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61594
Tested-by: TYPO3com <>
Tested-by: Andreas Fernandez <>
Reviewed-by: Andreas Fernandez <>

Revision 095f781d (diff)
Added by Frank Naegler 5 months ago

[BUGFIX] Set rel="noopener noreferrer" for external links

This patch adds rel="noopener noreferrer" for external links in
backend and install tool for security reasons.
If this is not set, the other page can access the window object
with the window.opener property.

Resolves: #89044
Releases: master, 9.5, 8.7
Change-Id: Ib3ceaf87ad0541cc8603ef0d02c95e0b4ef43d4e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61579
Tested-by: TYPO3com <>
Tested-by: Andreas Fernandez <>
Reviewed-by: Andreas Fernandez <>

History

#1 Updated by Gerrit Code Review 5 months ago

  • Status changed from In Progress to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/61577

#2 Updated by Mathias Brodala 5 months ago

  • Description updated (diff)

#3 Updated by Gerrit Code Review 5 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/61577

#4 Updated by Gerrit Code Review 5 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/61594

#5 Updated by Frank Naegler 5 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#6 Updated by Gerrit Code Review 5 months ago

  • Status changed from Resolved to Under Review

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/61594

#7 Updated by Gerrit Code Review 5 months ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/61579

#8 Updated by Gerrit Code Review 5 months ago

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/61579

#9 Updated by Frank Naegler 5 months ago

  • Status changed from Under Review to Resolved

#10 Updated by Daniel Goerz 2 months ago

  • Related to Bug #89757: Fix noopener noreferrer issue added

#11 Updated by Jonas Eberle about 2 months ago

  • Related to Bug #89771: rel="noreferer" should be set for all new windows, not just _blank added

#12 Updated by Benni Mack about 1 month ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF