Bug #91629

external Links (if set as "external site") do not get rel="noreferrer" NOR rel="noopener"

Added by Martin Hotmann about 2 years ago. Updated 9 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
-
Start date:
2020-06-10
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.4
Tags:
external links
Complexity:
Is Regression:
Sprint Focus:

Description

If a external link is set in the PageTree and then rendered/used in a menu this link will not get any rel="noopener" or rel="noreferrer" attribute at all.
But as a external link it should. Also Google (Lighthouse) is complaining about that this is a missing security feature.

Link about Google LightHouse complains about:
https://lighthouse-dot-webdotdevsite.appspot.com//lh/html?url=https%3A%2F%2Fnew.hotmann.de#:~:text=Links%20to%20cross-origin%20destinations%20are%20unsafe


Files

external Link.PNG (9.36 KB) external Link.PNG explanation of which "external Link" I mean. Martin Hotmann, 2020-06-10 09:48

Related issues

Is duplicate of TYPO3 Core - Bug #95051: rel="noreferrer" is not set by cross site linksNew2021-08-31

Actions
#1

Updated by Martin Hotmann about 2 years ago

Since 10.1 this should not be the case anymore as this features adds automatically these attributes:
https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/10.1/Feature-78488-AddRelNoreferrerToExternalLinks.html

#2

Updated by Georg Ringer over 1 year ago

  • Status changed from New to Accepted

how do you generate your menu?

#3

Updated by Martin Hotmann over 1 year ago

Georg Ringer wrote:

how do you generate your menu?

I use standard Bootstrap_Package (newest version) but I also wrote to Richard Haeser and some of the Bootstrap_package guys, they use a extension for solving this problem, but seems for them it also does not work out of box.
All external Links (generated by menu OR manual) should have this, no matter how they have been implemented.
But the links are (like shown in the "external Link.PNG") external Links as a Menu-Point:
So they are rendered as a menu in the Navigation

#4

Updated by Christian Hackl 9 months ago

All FLUID Menu* templates are generated as normal html a-tag and there is missing the noopener condition - something like:

// missing: {f:if(condition: '{page.data.doktype} == 3', then: 'rel="noopener"')}

<a href="{page.link}"{f:if(condition: page.target, then: ' target="{page.target}"')} title="{page.title}" {f:if(condition: '{page.data.doktype} == 3', then: 'rel="noopener"')}>
#5

Updated by Oliver Hader 9 months ago

Please see issue #95051 and let's continue there...

#6

Updated by Oliver Hader 9 months ago

  • Is duplicate of Bug #95051: rel="noreferrer" is not set by cross site links added
#7

Updated by Oliver Hader 9 months ago

  • Status changed from Accepted to Closed
#8

Updated by Oliver Hader 9 months ago

Relevant aspect, see https://forge.typo3.org/issues/95051#note-7

Referrer-Policy: same-origin

Also available in: Atom PDF