Task #89347
Updated by Oliver Hader almost 3 years ago
Issue #78488 introduced norefferer & noopener per default for external links, see
https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194
However there are scenarios where this has to be seen in context and scope of the website project:
h2. General
* @noopener@ only has an effect of "opened" window contexts (e.g. @target="_blank"@)
* @noreferrer@ might contradict tracking & analyzation on websites
** e.g. "which site is has similar information" - good use of referrer in a scope similar to "LOD"
*** @Referrer: https://typo3-website.org/resources/car-engines/abc@ when opening @https://remote-vendor.com/cars/xyz@
** e.g. "which site has similar problems" - bad use of referrer, when e.g. sensitive areas point public resources
*** @Referrer: https://typo3-website.org/user-restricted-internal/product-abc-sucks@ pointing to @https://remote-vendor.com/prodct-abc@
h2. Suggestion
* make settings configurable
** TypoScript @typolink@
** Site Configuration anchor behavior
* default settings (when not having TypoScript or Site Configuration loaded - e.g. CLI context) should be strict @noopener noreferrer@ (current scenario)
* use @Referrer-Policy@ HTTP header as site-wide default instead, use HTML attr to override the default behavior
** different per site (frontend)
** common for admin UI (backend)
h2. Side-note
There is a difference between TYPO3 backend and frontend as well. Basically
* strict default for backend should be @noopener noreferrer@
* individual behavior for frontend as outlined in previous sections