Skip to content

Commit

Permalink
[TASK] Add rel="noreferrer" to external links of widgets
Browse files Browse the repository at this point in the history 
Clicking on external links (with target="_blank") in RSS widgets and buttons
of Dashboard widgets can leak the referrer of the linked page. This is mostly
not wanted because it reveals the URL of the TYPO3 backend. Additionally, the
other page can access the "window.opener" property, which exposes security
issues. Also if the other page is running a lot of JavaScript, the performance
of the TYPO3 backend may also suffer, because the other page may run on the
same process as the TYPO3 backend.

To mitigate this behaviour rel="noreferrer" is added to external links
in the according widgets.

"noreferrer" also implies the "noopener" behaviour, so this is sufficient.

See also:
- https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
- https://developers.google.com/web/tools/lighthouse/audits/noopener

Resolves: #91290
Releases: master
Change-Id: Ie53b543e39bc716a5437d9a7364691de3ec7346f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64401
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Richard Haeser <richard@maxserv.com>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Josef Glatz <josefglatz@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Richard Haeser <richard@maxserv.com>
  • Loading branch information
@brotkrueml
brotkrueml authored and Richard Haeser committed May 5, 2020
1 parent da6bd97 commit f66a20d
Show file tree
Hide file tree
Showing 5 changed files with 13 additions and 18 deletions.
5 changes: 5 additions & 0 deletions typo3/sysext/dashboard/Resources/Private/Partials/Widget/Button.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
<html xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers" data-namespace-typo3-fluid="true">
<f:if condition="{button}">
<a href="{button.link}" class="widget-cta"{f:if(condition: '{button.target}', then: ' target="{button.target}"')}{f:if(condition: '{button.target} == "_blank"', then: ' rel="noreferrer"')}>{f:translate(id: button.title, default: button.title)}</a>
</f:if>
</html>
6 changes: 1 addition & 5 deletions typo3/sysext/dashboard/Resources/Private/Templates/Widget/ChartWidget.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,6 @@

</f:section>
<f:section name="footer">

<f:if condition="{button}">
<a href="{button.link}" target="{button.target}" class="widget-cta">{f:translate(id: button.title, default: button.title)}</a>
</f:if>

<f:render partial="Widget/Button" arguments="{button: button}"/>
</f:section>
</html>
6 changes: 2 additions & 4 deletions typo3/sysext/dashboard/Resources/Private/Templates/Widget/CtaWidget.html
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<html xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers" xmlns:core="http://typo3.org/ns/TYPO3/CMS/Core/ViewHelpers" data-namespace-typo3-fluid="true">
<html xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers" data-namespace-typo3-fluid="true">
<f:layout name="Widget/Widget"/>
<f:section name="main">

Expand All @@ -8,8 +8,6 @@

</f:section>
<f:section name="footer">
<f:if condition="{button}">
<a href="{button.link}" target="{button.target}" class="widget-cta">{f:translate(id: button.title, default: button.title)}</a>
</f:if>
<f:render partial="Widget/Button" arguments="{button: button}"/>
</f:section>
</html>
6 changes: 2 additions & 4 deletions typo3/sysext/dashboard/Resources/Private/Templates/Widget/ListWidget.html
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<html xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers" xmlns:core="http://typo3.org/ns/TYPO3/CMS/Core/ViewHelpers" data-namespace-typo3-fluid="true">
<html xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers" data-namespace-typo3-fluid="true">
<f:layout name="Widget/Widget" />
<f:section name="main">

Expand All @@ -12,8 +12,6 @@

</f:section>
<f:section name="footer">
<f:if condition="{button}">
<a href="{button.link}" target="{button.target}" class="widget-cta">{f:translate(id: button.title, default: button.title)}</a>
</f:if>
<f:render partial="Widget/Button" arguments="{button: button}"/>
</f:section>
</html>
8 changes: 3 additions & 5 deletions typo3/sysext/dashboard/Resources/Private/Templates/Widget/RssWidget.html
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<html xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers" xmlns:core="http://typo3.org/ns/TYPO3/CMS/Core/ViewHelpers" data-namespace-typo3-fluid="true">
<html xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers" data-namespace-typo3-fluid="true">
<f:layout name="Widget/Widget" />
<f:section name="main">

Expand All @@ -7,7 +7,7 @@
<f:for each="{items}" as="item">
<tr>
<td>
<f:link.external uri="{item.link}" target="_blank"><strong>{item.title}</strong></f:link.external>
<f:link.external uri="{item.link}" target="_blank" rel="noreferrer"><strong>{item.title}</strong></f:link.external>
<small><time datetime="{item.pubDate -> f:format.date(format: '%Y-%m-%d')}">{item.pubDate -> f:format.date()}</time></small>
<p>{item.description -> f:format.crop(maxCharacters: 180)}</p>
</td>
Expand All @@ -18,8 +18,6 @@

</f:section>
<f:section name="footer">
<f:if condition="{button}">
<a href="{button.link}" target="{button.target}" class="widget-cta">{f:translate(id: button.title, default: button.title)}</a>
</f:if>
<f:render partial="Widget/Button" arguments="{button: button}"/>
</f:section>
</html>

0 comments on commit f66a20d

Please sign in to comment.