TYPO3 Core

Issue #78488 introduced norefferer & noopener per default for external links, see
https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194

However there are scenarios where this has to be seen in context and scope of the website project:

General¶

• noopener only has an effect of "opened" window contexts (e.g. target="_blank")
• noreferrer might contradict tracking & analyzation on websites
  • e.g. "which site is has similar information" - good use of referrer in a scope similar to "LOD"
    • Referrer: https://typo3-website.org/resources/car-engines/abc when opening https://remote-vendor.com/cars/xyz
  • e.g. "which site has similar problems" - bad use of referrer, when e.g. sensitive areas point public resources
    • Referrer: https://typo3-website.org/user-restricted-internal/product-abc-sucks pointing to https://remote-vendor.com/prodct-abc

Suggestion¶

• make settings configurable
  • TypoScript typolink
  • Site Configuration anchor behavior
• default settings (when not having TypoScript or Site Configuration loaded - e.g. CLI context) should be strict noopener noreferrer (current scenario)
• use Referrer-Policy HTTP header as site-wide default instead, use HTML attr to override the default behavior
  • different per site (frontend)
  • common for admin UI (backend)

Side-note¶

There is a difference between TYPO3 backend and frontend as well. Basically

• strict default for backend should be noopener noreferrer
• individual behavior for frontend as outlined in previous sections