Task #89347

Provide strong defaults for anchor noreferred/noopener attribute

Added by Oliver Hader over 1 year ago. Updated 10 months ago.

Should have
Link Handling, Site Handling & Routing
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Sprint Focus:


Issue #78488 introduced norefferer & noopener per default for external links, see

However there are scenarios where this has to be seen in context and scope of the website project:


  • noopener only has an effect of "opened" window contexts (e.g. target="_blank")
  • noreferrer might contradict tracking & analyzation on websites
    • e.g. "which site is has similar information" - good use of referrer in a scope similar to "LOD"
      • Referrer: https://typo3-website.org/resources/car-engines/abc when opening https://remote-vendor.com/cars/xyz
    • e.g. "which site has similar problems" - bad use of referrer, when e.g. sensitive areas point public resources
      • Referrer: https://typo3-website.org/user-restricted-internal/product-abc-sucks pointing to https://remote-vendor.com/prodct-abc


  • make settings configurable
    • TypoScript typolink
    • Site Configuration anchor behavior
  • default settings (when not having TypoScript or Site Configuration loaded - e.g. CLI context) should be strict noopener noreferrer (current scenario)


There is a difference between TYPO3 backend and frontend as well. Basically
  • strict default for backend should be noopener noreferrer
  • individual behavior for frontend as outlined in previous sections

Related issues

Related to TYPO3 Core - Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blankClosed2016-10-28

Related to TYPO3 Core - Bug #89757: Fix noopener noreferrer issueClosedBenni Mack2019-11-23


Updated by Oliver Hader over 1 year ago

  • Related to Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blank added

Updated by Oliver Hader over 1 year ago

  • Description updated (diff)

Updated by Christian Eßl 10 months ago

  • Related to Bug #89757: Fix noopener noreferrer issue added

Updated by Christian Eßl 10 months ago

Currently only noreferrer is used instead of both noreferrer and noopener, because noreferrer alone also implicitly sets noopener as well.
This is fine with modern browsers, but some older browsers, like IE11 before Windows 10 Creators update, this is not the case and in those instances you would need "noopener" as well to be on the secure side.

So the configurable solution should also make it possible to set both "noreferrer" and "noopener".

Also available in: Atom PDF