Task #89347

Provide strong defaults for anchor noreferred/noopener attribute

Added by Oliver Hader over 1 year ago. Updated 10 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Link Handling, Site Handling & Routing
Start date:
2019-10-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Issue #78488 introduced norefferer & noopener per default for external links, see
https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

However there are scenarios where this has to be seen in context and scope of the website project:

General

  • noopener only has an effect of "opened" window contexts (e.g. target="_blank")
  • noreferrer might contradict tracking & analyzation on websites
    • e.g. "which site is has similar information" - good use of referrer in a scope similar to "LOD"
      • Referrer: https://typo3-website.org/resources/car-engines/abc when opening https://remote-vendor.com/cars/xyz
    • e.g. "which site has similar problems" - bad use of referrer, when e.g. sensitive areas point public resources
      • Referrer: https://typo3-website.org/user-restricted-internal/product-abc-sucks pointing to https://remote-vendor.com/prodct-abc

Suggestion

  • make settings configurable
    • TypoScript typolink
    • Site Configuration anchor behavior
  • default settings (when not having TypoScript or Site Configuration loaded - e.g. CLI context) should be strict noopener noreferrer (current scenario)

Side-note

There is a difference between TYPO3 backend and frontend as well. Basically
  • strict default for backend should be noopener noreferrer
  • individual behavior for frontend as outlined in previous sections

Related issues

Related to TYPO3 Core - Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blankClosed2016-10-28

Actions
Related to TYPO3 Core - Bug #89757: Fix noopener noreferrer issueClosedBenni Mack2019-11-23

Actions
#1

Updated by Oliver Hader over 1 year ago

  • Related to Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blank added
#2

Updated by Oliver Hader over 1 year ago

  • Description updated (diff)
#3

Updated by Christian Eßl 10 months ago

  • Related to Bug #89757: Fix noopener noreferrer issue added
#4

Updated by Christian Eßl 10 months ago

Currently only noreferrer is used instead of both noreferrer and noopener, because noreferrer alone also implicitly sets noopener as well.
This is fine with modern browsers, but some older browsers, like IE11 before Windows 10 Creators update, this is not the case and in those instances you would need "noopener" as well to be on the secure side.

So the configurable solution should also make it possible to set both "noreferrer" and "noopener".

Also available in: Atom PDF