Task #91290
closed
Add rel="noreferrer" to external links of widgets
100%
Description
Clicking on external links (with target="_blank") in RSS widgets and buttons of Dashboard widgets can leak the referrer of the linked page. This is mostly not wanted because it reveals the URL of the TYPO3 backend. Additionally, the other page can access the "window.opener" property, which exposes security issues. If the other page is running a lot of JavaScript, the performance of the TYPO3 backend may also suffer, because the other page may run on the same process as the TYPO3 backend.
To mitigate this behaviour rel="noreferrer" is added to links with target="_blank" in the according widgets.
noreferrer also implies the noopener behaviour, so this is sufficient.
See also:
- https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
- https://developers.google.com/web/tools/lighthouse/audits/noopener
Updated by 
Updated by 
Updated by