Bug #95051
closed
rel="noreferrer" is not set by cross site links
0%
Description
Hello,
i noticed that links between configured sites with different domains in the same TYPO3 system have not the rel="noreferrer" attribute. The target="_blank" is set.
I came to this because Lighthouse gave me the hint "Links to cross-origin destinations are unsafe".
My domains are completely different like: www.abc.com & www.yxz.net.
By further analyse i came to the addSecurityRelValues() and isInternalUrl() method in typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php.
When i read correct: if the domain was found in the site configurations it's marked as "internal" domain (isInternalUrl()).
This was implemented by https://forge.typo3.org/issues/78488.
I think this is correct in few cases but not in the most.
I'm not sure but maybe a check of the 1st level domain of source domain and target domain is required here.
Updated by
Updated by Oliver Hader about 3 years ago
- Related to Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blank added
Updated by Oliver Hader about 3 years ago
I think in most cases sending a referrer policy HTTP header is sufficient, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Referrer-Policy: same-origin
Updated by Oliver Hader about 3 years ago
- Related to Feature #95054: Add possibility to add HTTP headers in frontend added
Updated by Oliver Hader about 3 years ago
- Has duplicate Bug #91629: external Links (if set as "external site") do not get rel="noreferrer" NOR rel="noopener" added
Updated by Daniel Siepmann 10 months ago
We have it the other way around.
A customer has multiple domains and TYPO3 is not aware of all the domains as it doesn't manage those domains.
Still the customer wants to have info like referrer for internal domains.
I would guess an event within isInternalUrl() would help, as every installation could alter the original implementation to its needs. E.g. one could remove configured sites if they aren't the current active one. But one could also add further domains, e.g. from site config, extension config, etc.
Updated by Gerrit Code Review 10 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82691
Updated by Gerrit Code Review 10 months ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82691
Updated by Gerrit Code Review 10 months ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82691
Updated by Gerrit Code Review 10 months ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82691
Updated by Gerrit Code Review 7 months ago
Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82691
Updated by Gerrit Code Review 7 months ago
Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82691
Updated by Daniel Siepmann 7 months ago
- Status changed from Under Review to New
We could solve the issue by adding an EventListener for AfterLinkIsGeneratedEvent altering the rel attribute based on the linked domain.
Maybe you can handle it the same way, so there is no need to adjust TYPO3 itself?
Updated by
Updated by Garvin Hicking 5 months ago
- Status changed from Needs Feedback to Closed
We believe the referrer issue is adressed by Olivers comment (target=blank inherits noreferrer).
Daniels comment should, if we understand properly, be solved by the notes in the adressing patch; integrators can implement a PSR event listener to customize the "rel" attribute in case they might DO want to have a referrer.
We hope this is the right decision, else please feel free to comment here or create a follow-up ticket, thank you!