Project

General

Profile

Bug #95051

Updated by Martin Tepper over 2 years ago

 

 Hello, 

 i noticed that links between configured sites with different domains in the same TYPO3 system have not the rel="noreferrer" attribute. The target="_blank" is set. 

 I came to this because Lighthouse gave me the hint "Links to cross-origin destinations are unsafe". 

 My domains are completely different: www.abc.com & www.yxz.net. 

 By further analyse i came to the addSecurityRelValues() and isInternalUrl() method in typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php. 
 When i read correct: if the domain was found in the site configurations it's marked as "internal" domain (isInternalUrl()). 

 This was implemented by https://forge.typo3.org/issues/78488. 

 I think this is correct in few cases but not in the most. 
 I'm not sure by maybe a check to the root domain is required here if they are equal. 

Back