Task #91290
closed
Add rel="noreferrer" to external links of widgets
100%
Description
Clicking on external links (with target="_blank") in RSS widgets and buttons of Dashboard widgets can leak the referrer of the linked page. This is mostly not wanted because it reveals the URL of the TYPO3 backend. Additionally, the other page can access the "window.opener" property, which exposes security issues. If the other page is running a lot of JavaScript, the performance of the TYPO3 backend may also suffer, because the other page may run on the same process as the TYPO3 backend.
To mitigate this behaviour rel="noreferrer" is added to links with target="_blank" in the according widgets.
noreferrer also implies the noopener behaviour, so this is sufficient.
See also:
- https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
- https://developers.google.com/web/tools/lighthouse/audits/noopener
Updated by Gerrit Code Review almost 4 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64401
Updated by Gerrit Code Review almost 4 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64401
Updated by Gerrit Code Review almost 4 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64401
Updated by Gerrit Code Review almost 4 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64401
Updated by Chris Müller almost 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset f66a20d382dad4622521192a743561e9b796ca5b.
Updated by