#1229: Replace rel=“author" with rel="noopener noreferrer" in footer

[nielslange]

Fixes #1229

Replaces rel=“author" with rel="noopener noreferrer" in

storefront/inc/storefront-template-functions.php

Line 140 in 5ab42c7

$links_output .= '<a href="https://woocommerce.com" target="_blank" title="' . esc_attr__( 'WooCommerce - The Best eCommerce Platform for WordPress', 'storefront' ) . '" rel="author">' . esc_html__( 'Built with Storefront &amp; WooCommerce', 'storefront' ) . '</a>.';

[Aljullu]

Thanks for fixing this @nielslange!

• woocommerce.com is a domain owned by Automattic, so I think we can trust it. But at the same time, I don't see any drawback on setting rel="noopener noreferrer", so that part LGTM.
• 💯 for the change in the string Built with....
• About the rel="author" removal: while it looks like Google stopped using it for their search ranks, it doesn't seem to be completely deprecated so I initially thought that we should keep it. But at the same time, I don't think Storefront can be considered the author of all sites done with WooCommerce/Storefront. So it looks good to me to remove it. 👍

tl;dr I think this PR can be merged as-is. @haszari & @senadir thoughts?

[haszari]

I agree - this looks like a good change, thanks @shirokoweb @nielslange for raising & addressing this.

I looked up noreferrer / noopener (see also MDN) to better understand the security implications. Looks like we could catch things like this by using Lighthouse or other validator tools when testing.

Based on the Google docs, I think we should include either noreferrer / noopener - not both. I don't think this is a major blocker but it's worth tidying up now IMO. noopener seems like the right fit for our case; I don't see an issue with including referrer header from a site running storefront => woocommerce.com.

[shirokoweb]

IMO, if you want to keep only one attribute instead of both, it should be noreferrer.

rel="noreferrer" attribute has the same effect as "noopener", but also prevents the Referer header from being sent to the new page.

Although this header has many innocent uses it can have undesirable consequences for user security and privacy. See Referer header: privacy and security concerns for more information and mitigations.

I'm not sure, logged in customers would be happy to potentially have some data sent to anybody, especially under GDPR.

[haszari]

IMO, if you want to keep only one attribute instead of both, it should be noreferrer.

Fair point @shirokoweb, and that's the most conservative (safest) option. I'm happy for us to go with noreferrer.

[haszari]

@nielslange can you review the suggested changes and commit to your branch? Then we can get this merged and wrapped up for 2.5.4. Thank you :) cc @Aljullu

[nielslange]

@nielslange can you review the suggested changes and commit to your branch? Then we can get this merged and wrapped up for 2.5.4. Thank you :) cc @Aljullu

@haszari I've committed the requested changes so that this PR can be merged.