Bug #95051
closed
rel="noreferrer" is not set by cross site links
Added by Martin Tepper about 3 years ago.
Updated 6 months ago.
Description
Hello,
i noticed that links between configured sites with different domains in the same TYPO3 system have not the rel="noreferrer" attribute. The target="_blank" is set.
I came to this because Lighthouse gave me the hint "Links to cross-origin destinations are unsafe".
My domains are completely different like: www.abc.com & www.yxz.net.
By further analyse i came to the addSecurityRelValues() and isInternalUrl() method in typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php.
When i read correct: if the domain was found in the site configurations it's marked as "internal" domain (isInternalUrl()).
This was implemented by https://forge.typo3.org/issues/78488.
I think this is correct in few cases but not in the most.
I'm not sure but maybe a check of the 1st level domain of source domain and target domain is required here.
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Related to Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blank added
- Assignee deleted (
Oliver Hader)
- Related to Feature #95054: Add possibility to add HTTP headers in frontend added
- Has duplicate Bug #91629: external Links (if set as "external site") do not get rel="noreferrer" NOR rel="noopener" added
We have it the other way around.
A customer has multiple domains and TYPO3 is not aware of all the domains as it doesn't manage those domains.
Still the customer wants to have info like referrer for internal domains.
I would guess an event within isInternalUrl() would help, as every installation could alter the original implementation to its needs. E.g. one could remove configured sites if they aren't the current active one. But one could also add further domains, e.g. from site config, extension config, etc.
- Status changed from New to Under Review
- Status changed from Under Review to New
We could solve the issue by adding an EventListener for AfterLinkIsGeneratedEvent
altering the rel
attribute based on the linked domain.
Maybe you can handle it the same way, so there is no need to adjust TYPO3 itself?
- Status changed from New to Needs Feedback
- Status changed from Needs Feedback to Closed
We believe the referrer issue is adressed by Olivers comment (target=blank inherits noreferrer).
Daniels comment should, if we understand properly, be solved by the notes in the adressing patch; integrators can implement a PSR event listener to customize the "rel" attribute in case they might DO want to have a referrer.
We hope this is the right decision, else please feel free to comment here or create a follow-up ticket, thank you!
Also available in: Atom
PDF