Bug #95051
open
rel="noreferrer" is not set by cross site links
Added by Martin Tepper over 2 years ago.
Updated about 2 months ago.
Description
Hello,
i noticed that links between configured sites with different domains in the same TYPO3 system have not the rel="noreferrer" attribute. The target="_blank" is set.
I came to this because Lighthouse gave me the hint "Links to cross-origin destinations are unsafe".
My domains are completely different like: www.abc.com & www.yxz.net.
By further analyse i came to the addSecurityRelValues() and isInternalUrl() method in typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php.
When i read correct: if the domain was found in the site configurations it's marked as "internal" domain (isInternalUrl()).
This was implemented by https://forge.typo3.org/issues/78488.
I think this is correct in few cases but not in the most.
I'm not sure but maybe a check of the 1st level domain of source domain and target domain is required here.
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Related to Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blank added
- Assignee deleted (
Oliver Hader)
- Related to Feature #95054: Add possibility to add HTTP headers in frontend added
- Has duplicate Bug #91629: external Links (if set as "external site") do not get rel="noreferrer" NOR rel="noopener" added
We have it the other way around.
A customer has multiple domains and TYPO3 is not aware of all the domains as it doesn't manage those domains.
Still the customer wants to have info like referrer for internal domains.
I would guess an event within isInternalUrl() would help, as every installation could alter the original implementation to its needs. E.g. one could remove configured sites if they aren't the current active one. But one could also add further domains, e.g. from site config, extension config, etc.
- Status changed from New to Under Review
Also available in: Atom
PDF