Bug #95051

rel="noreferrer" is not set by cross site links

Added by Martin Tepper 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2021-08-31
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Hello,

i noticed that links between configured sites with different domains in the same TYPO3 system have not the rel="noreferrer" attribute. The target="_blank" is set.

I came to this because Lighthouse gave me the hint "Links to cross-origin destinations are unsafe".

My domains are completely different like: www.abc.com & www.yxz.net.

By further analyse i came to the addSecurityRelValues() and isInternalUrl() method in typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php.
When i read correct: if the domain was found in the site configurations it's marked as "internal" domain (isInternalUrl()).

This was implemented by https://forge.typo3.org/issues/78488.

I think this is correct in few cases but not in the most.
I'm not sure but maybe a check of the 1st level domain of source domain and target domain is required here.


Related issues

Related to TYPO3 Core - Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blankClosed2016-10-28

Actions
Related to TYPO3 Core - Feature #95054: Add possibility to add HTTP headers in frontendUnder Review2021-08-31

Actions
Has duplicate TYPO3 Core - Bug #91629: external Links (if set as "external site") do not get rel="noreferrer" NOR rel="noopener"ClosedOliver Hader2020-06-10

Actions
#1

Updated by Martin Tepper 3 months ago

  • Description updated (diff)
#2

Updated by Martin Tepper 3 months ago

  • Description updated (diff)
#3

Updated by Martin Tepper 3 months ago

  • Description updated (diff)
#4

Updated by Martin Tepper 3 months ago

  • Description updated (diff)
#5

Updated by Oliver Hader 3 months ago

  • Related to Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blank added
#6

Updated by Oliver Hader 3 months ago

  • Assignee deleted (Oliver Hader)
#7

Updated by Oliver Hader 3 months ago

I think in most cases sending a referrer policy HTTP header is sufficient, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Referrer-Policy: same-origin
#8

Updated by Oliver Hader 3 months ago

→ see #95054

#9

Updated by Oliver Hader 3 months ago

  • Related to Feature #95054: Add possibility to add HTTP headers in frontend added
#10

Updated by Oliver Hader about 2 months ago

  • Has duplicate Bug #91629: external Links (if set as "external site") do not get rel="noreferrer" NOR rel="noopener" added

Also available in: Atom PDF