Project

General

Profile

Actions

Bug #95051

open

rel="noreferrer" is not set by cross site links

Added by Martin Tepper over 2 years ago. Updated about 2 months ago.

Status:
Under Review
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2021-08-31
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Hello,

i noticed that links between configured sites with different domains in the same TYPO3 system have not the rel="noreferrer" attribute. The target="_blank" is set.

I came to this because Lighthouse gave me the hint "Links to cross-origin destinations are unsafe".

My domains are completely different like: www.abc.com & www.yxz.net.

By further analyse i came to the addSecurityRelValues() and isInternalUrl() method in typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php.
When i read correct: if the domain was found in the site configurations it's marked as "internal" domain (isInternalUrl()).

This was implemented by https://forge.typo3.org/issues/78488.

I think this is correct in few cases but not in the most.
I'm not sure but maybe a check of the 1st level domain of source domain and target domain is required here.


Related issues 3 (1 open2 closed)

Related to TYPO3 Core - Feature #78488: Add rel="noopener noreferrer" to links when target is set to _blankClosed2016-10-28

Actions
Related to TYPO3 Core - Feature #95054: Add possibility to add HTTP headers in frontendUnder Review2021-08-31

Actions
Has duplicate TYPO3 Core - Bug #91629: external Links (if set as "external site") do not get rel="noreferrer" NOR rel="noopener"ClosedOliver Hader2020-06-10

Actions
Actions

Also available in: Atom PDF