[4.0] Serverside enforcement of rel=noopener for all external links #24337
Comments
|
Just going to re-iterate that this needs to remain an option and not an arbitrary platform behavior. Also keep in mind that this will have performance implications as it is going to require crawling the entire HTML document and parsing all |
|
I am not in favour of ever changing the user generated content. Adding noopener is not enough - you also have to add noreferer NOTE: This was rejected as a security issue three years ago by the JSST |
Well, nothing stops us from getting smarter :) |
|
Shame I was on the end of so much abuse at the time but glad to see the JSST is finally acknowledging th8is |
|
Another thing to consider is this being an all-or-nothing implementation will have unwelcome side effects on some sites. Having this plugin run on I think it's best this work be left in the content editor and a full on server side solution NOT introduced, but if people are going to adamantly pursue this then it needs to be really well scoped out. |
Where - I dont see that |
Maybe I miss something obvious, but how does noopener and/or noreferrer impact SEO? |
|
Doesn't noreferrer prevent passing referral data between domains? Meaning referrals from |
|
Yes that's correct |
|
There is only an issue anyway if the link is target blank and iirc Https negates it as well |
|
Solution: don’t add norefferer and use a referrer-policy header instead, because that’s more flexible |
|
That's overkill to address the security concerns as it would apply to all links not just those in a target blank |
|
Checking google's recommendation, it seems like that noopener actually is enough to kill the security issue - noreferrer is just an additional recommendation on top to improve privacy. So, just applying noopener should fix the issue without affecting tracking. |
|
I still have reservations because of the performance hit but if the scope is contained to only noopener then the plugin doesn't need to be as complex and is less likely to be something people immediately disable. |
|
Can't find the link right now but some older browsers don't support noopener |
|
Starting the regular expression with a fixed text greatly reduces the performance impact Also this should be much lighter than the performance impact of emailcloak plugin which is handling more cases ? |
|
The mail cloaking code only runs on smaller snippets of HTML (most commonly the com_content article body), though may also run multiple times in a request cycle. Unless someone's got an engineering level genius idea, this would be something that runs on the fully completed HTML document and would inherently process every |
|
and I repeat it should only run when you have target=_blank |
|
Note that despite using |
|
Well what does mean "won't work" here? Just nothing happens? Or something breaks? I think the first case can be accepted. When the general issue can be fixed. :) |
|
@zero-24 I'm not sure as I don't use Win 7 or an older version of Win 10. This will be something for the security team to research |
|
Well when not implemented / interpreted by the browser i expect it to be ignored. But I see nothing we can do against that. By your comment i was thinking about special problems you know about ;) |
|
question |
|
answer See a demo of the problem here https://mathiasbynens.github.io/rel-noopener/ |
|
About doing this Content Security Policy It looks like disown-opener CSP directive was dropped from webappsec-csp but something new is planned i do not link to it below, so that you try to read it, So in future (J5 ?), (yes i know it will not be an option for long time), |
ghost
added
the
|
@SniperSister is this something you will be working on or should it be closed? |
|
It's on the agenda for 4.x |
|
@bembelimen I guess this should get a 4.1 tag of some sort |
|
4 years later is there really any point in keeping this open |
|
Agreed. We have widespread adoption of the |
Is your feature request related to a problem? Please describe.
Not having the rel=noopener attribute applied to outgoing links is a potential security issue. So far, Joomla has tackled this by enforcing the attribute in various places like i.e. the WYSWIYG editor config, JHTML::link, layouts etc. - however, links generated outside of those places still depend on the user adding the attribute because it's not enforced by us. A typical example would be an article created without WYSIWYG editor support.
Describe the solution
A potential solution would be a system plugin listening to the onAfterRender event, dynamically adding the rel=noopener attribute after rendering the site.
Additional context
JSST has discussed this internally as a potential issue for 3.x, however considering the rather limitied potential securty impact and associated b/c break, we moved it to the public tracker to be discussed for Joomla 4.
The text was updated successfully, but these errors were encountered: