Project

General

Profile

Actions
Copy link

Bug #91629

closed

external Links (if set as "external site") do not get rel="noreferrer" NOR rel="noopener"

Added by Martin Hotmann over 4 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Oliver Hader
Category:
Security
Target version:
-
Start date:
2020-06-10
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.4
Tags:
external links
Complexity:
Is Regression:
Sprint Focus:

Description

If a external link is set in the PageTree and then rendered/used in a menu this link will not get any rel="noopener" or rel="noreferrer" attribute at all.
But as a external link it should. Also Google (Lighthouse) is complaining about that this is a missing security feature.

Link about Google LightHouse complains about:
https://lighthouse-dot-webdotdevsite.appspot.com//lh/html?url=https%3A%2F%2Fnew.hotmann.de#:~:text=Links%20to%20cross-origin%20destinations%20are%20unsafe

Files

external Link.PNG (9.36 KB) external Link.PNG explanation of which "external Link" I mean. Martin Hotmann, 2020-06-10 09:48

Related issues 1 (0 open1 closed)

Is duplicate of TYPO3 Core - Bug #95051: rel="noreferrer" is not set by cross site linksClosed2021-08-31

Actions
Actions
Copy link
 #1

Updated by Martin Hotmann over 4 years ago

Since 10.1 this should not be the case anymore as this features adds automatically these attributes:
https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/10.1/Feature-78488-AddRelNoreferrerToExternalLinks.html

Actions
Copy link
 #2

Updated by Georg Ringer about 4 years ago

  • Status changed from New to Accepted

how do you generate your menu?

Actions
Copy link
 #3

Updated by Martin Hotmann about 4 years ago

Georg Ringer wrote:

how do you generate your menu?

I use standard Bootstrap_Package (newest version) but I also wrote to Richard Haeser and some of the Bootstrap_package guys, they use a extension for solving this problem, but seems for them it also does not work out of box.
All external Links (generated by menu OR manual) should have this, no matter how they have been implemented.
But the links are (like shown in the "external Link.PNG") external Links as a Menu-Point:
So they are rendered as a menu in the Navigation

Actions
Copy link
 #4

Updated by Christian Hackl about 3 years ago

All FLUID Menu* templates are generated as normal html a-tag and there is missing the noopener condition - something like:

// missing: {f:if(condition: '{page.data.doktype} == 3', then: 'rel="noopener"')}

<a href="{page.link}"{f:if(condition: page.target, then: ' target="{page.target}"')} title="{page.title}" {f:if(condition: '{page.data.doktype} == 3', then: 'rel="noopener"')}>
Actions
Copy link
 #5

Updated by Oliver Hader about 3 years ago

Please see issue #95051 and let's continue there...

Actions
Copy link
 #6

Updated by Oliver Hader about 3 years ago

  • Is duplicate of Bug #95051: rel="noreferrer" is not set by cross site links added
Actions
Copy link
 #7

Updated by Oliver Hader about 3 years ago

  • Status changed from Accepted to Closed
Actions
Copy link
 #8

Updated by Oliver Hader about 3 years ago

Relevant aspect, see https://forge.typo3.org/issues/95051#note-7

Referrer-Policy: same-origin
Actions
Copy link

Also available in: Atom PDF