Bug #95051
open
rel="noreferrer" is not set by cross site links
0%
Description
Hello,
i noticed that links between configured sites with different domains in the same TYPO3 system have not the rel="noreferrer" attribute. The target="_blank" is set.
I came to this because Lighthouse gave me the hint "Links to cross-origin destinations are unsafe".
My domains are completely different like: www.abc.com & www.yxz.net.
By further analyse i came to the addSecurityRelValues() and isInternalUrl() method in typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php.
When i read correct: if the domain was found in the site configurations it's marked as "internal" domain (isInternalUrl()).
This was implemented by https://forge.typo3.org/issues/78488.
I think this is correct in few cases but not in the most.
I'm not sure but maybe a check of the 1st level domain of source domain and target domain is required here.
Updated by
Updated by Oliver Hader over 2 years ago
- Related to Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blank added
Updated by Oliver Hader over 2 years ago
I think in most cases sending a referrer policy HTTP header is sufficient, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Referrer-Policy: same-origin
Updated by Oliver Hader over 2 years ago
- Related to Feature #95054: Add possibility to add HTTP headers in frontend added
Updated by Oliver Hader over 2 years ago
- Has duplicate Bug #91629: external Links (if set as "external site") do not get rel="noreferrer" NOR rel="noopener" added
Updated by Daniel Siepmann 3 months ago
We have it the other way around.
A customer has multiple domains and TYPO3 is not aware of all the domains as it doesn't manage those domains.
Still the customer wants to have info like referrer for internal domains.
I would guess an event within isInternalUrl() would help, as every installation could alter the original implementation to its needs. E.g. one could remove configured sites if they aren't the current active one. But one could also add further domains, e.g. from site config, extension config, etc.
Updated by Gerrit Code Review 3 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82691
Updated by Gerrit Code Review 3 months ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82691
Updated by Gerrit Code Review 3 months ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82691
Updated by Gerrit Code Review 3 months ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82691