Project

General

Profile

Actions

Bug #91629

closed

external Links (if set as "external site") do not get rel="noreferrer" NOR rel="noopener"

Added by Martin Hotmann almost 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
-
Start date:
2020-06-10
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.4
Tags:
external links
Complexity:
Is Regression:
Sprint Focus:

Description

If a external link is set in the PageTree and then rendered/used in a menu this link will not get any rel="noopener" or rel="noreferrer" attribute at all.
But as a external link it should. Also Google (Lighthouse) is complaining about that this is a missing security feature.

Link about Google LightHouse complains about:
https://lighthouse-dot-webdotdevsite.appspot.com//lh/html?url=https%3A%2F%2Fnew.hotmann.de#:~:text=Links%20to%20cross-origin%20destinations%20are%20unsafe


Files

external Link.PNG (9.36 KB) external Link.PNG explanation of which "external Link" I mean. Martin Hotmann, 2020-06-10 09:48

Related issues 1 (1 open0 closed)

Is duplicate of TYPO3 Core - Bug #95051: rel="noreferrer" is not set by cross site linksUnder Review2021-08-31

Actions
Actions #1

Updated by Martin Hotmann almost 4 years ago

Since 10.1 this should not be the case anymore as this features adds automatically these attributes:
https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/10.1/Feature-78488-AddRelNoreferrerToExternalLinks.html

Actions #2

Updated by Georg Ringer over 3 years ago

  • Status changed from New to Accepted

how do you generate your menu?

Actions #3

Updated by Martin Hotmann over 3 years ago

Georg Ringer wrote:

how do you generate your menu?

I use standard Bootstrap_Package (newest version) but I also wrote to Richard Haeser and some of the Bootstrap_package guys, they use a extension for solving this problem, but seems for them it also does not work out of box.
All external Links (generated by menu OR manual) should have this, no matter how they have been implemented.
But the links are (like shown in the "external Link.PNG") external Links as a Menu-Point:
So they are rendered as a menu in the Navigation

Actions #4

Updated by Christian Hackl over 2 years ago

All FLUID Menu* templates are generated as normal html a-tag and there is missing the noopener condition - something like:

// missing: {f:if(condition: '{page.data.doktype} == 3', then: 'rel="noopener"')}

<a href="{page.link}"{f:if(condition: page.target, then: ' target="{page.target}"')} title="{page.title}" {f:if(condition: '{page.data.doktype} == 3', then: 'rel="noopener"')}>
Actions #5

Updated by Oliver Hader over 2 years ago

Please see issue #95051 and let's continue there...

Actions #6

Updated by Oliver Hader over 2 years ago

  • Is duplicate of Bug #95051: rel="noreferrer" is not set by cross site links added
Actions #7

Updated by Oliver Hader over 2 years ago

  • Status changed from Accepted to Closed
Actions #8

Updated by Oliver Hader over 2 years ago

Relevant aspect, see https://forge.typo3.org/issues/95051#note-7

Referrer-Policy: same-origin
Actions

Also available in: Atom PDF