Project

General

Profile

Actions

Task #89347

open

Provide strong defaults for anchor noreferred/noopener attribute

Added by Oliver Hader over 4 years ago. Updated over 2 years ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Link Handling, Site Handling & Routing
Start date:
2019-10-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Issue #78488 introduced norefferer & noopener per default for external links, see
https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

However there are scenarios where this has to be seen in context and scope of the website project:

General

  • noopener only has an effect of "opened" window contexts (e.g. target="_blank")
  • noreferrer might contradict tracking & analyzation on websites
    • e.g. "which site is has similar information" - good use of referrer in a scope similar to "LOD"
      • Referrer: https://typo3-website.org/resources/car-engines/abc when opening https://remote-vendor.com/cars/xyz
    • e.g. "which site has similar problems" - bad use of referrer, when e.g. sensitive areas point public resources
      • Referrer: https://typo3-website.org/user-restricted-internal/product-abc-sucks pointing to https://remote-vendor.com/prodct-abc

Suggestion

  • make settings configurable
    • TypoScript typolink
    • Site Configuration anchor behavior
  • default settings (when not having TypoScript or Site Configuration loaded - e.g. CLI context) should be strict noopener noreferrer (current scenario)
  • use Referrer-Policy HTTP header as site-wide default instead, use HTML attr to override the default behavior
    • different per site (frontend)
    • common for admin UI (backend)

Side-note

There is a difference between TYPO3 backend and frontend as well. Basically
  • strict default for backend should be noopener noreferrer
  • individual behavior for frontend as outlined in previous sections

Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blankClosed2016-10-28

Actions
Related to TYPO3 Core - Bug #89757: Fix noopener noreferrer issueClosedBenni Mack2019-11-23

Actions
Related to TYPO3 Core - Task #96379: [FEATURE] Add rel="noopener noreferrer" to all f:link.external linksRejected2021-12-17

Actions
Actions #1

Updated by Oliver Hader over 4 years ago

  • Related to Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blank added
Actions #2

Updated by Oliver Hader over 4 years ago

  • Description updated (diff)
Actions #3

Updated by Christian Eßl over 3 years ago

  • Related to Bug #89757: Fix noopener noreferrer issue added
Actions #4

Updated by Christian Eßl over 3 years ago

Currently only noreferrer is used instead of both noreferrer and noopener, because noreferrer alone also implicitly sets noopener as well.
This is fine with modern browsers, but some older browsers, like IE11 before Windows 10 Creators update, this is not the case and in those instances you would need "noopener" as well to be on the secure side.

So the configurable solution should also make it possible to set both "noreferrer" and "noopener".

Actions #5

Updated by Oliver Hader over 2 years ago

  • Description updated (diff)
Actions #6

Updated by Oliver Hader over 2 years ago

  • Related to Task #96379: [FEATURE] Add rel="noopener noreferrer" to all f:link.external links added
Actions

Also available in: Atom PDF