Replace proxy redirect with rel=noreferrer #12780
Conversation
|
FYI: We support IE 10 which doesn't support noreferrer. However, we have been using |
core/ErrorHandler.php
Outdated
| @@ -123,7 +123,7 @@ private static function getHtmlMessage($errno, $errstr, $errfile, $errline, $tra | |||
| $message = ErrorHandler::getErrNoString($errno) . ' - ' . $errstr; | |||
|
|
|||
| $html = "<p>There is an error. Please report the message (Matomo " . (class_exists('Piwik\Version') ? Version::VERSION : '') . ") | |||
| and full backtrace in the <a href='?module=Proxy&action=redirect&url=https://forum.matomo.org' target='_blank'>Matomo forums</a> (please do a search first as it might have been reported already!).</p>"; | |||
| and full backtrace in the <a target='_blank' rel='noreferrer' href='https://forum.matomo.org'>Matomo forums</a> (please do a search first as it might have been reported already!).</p>"; | |||
There was a problem hiding this comment.
I reckon for security be also good to always add rel=noopener so rel="noreferrer noopener" but not needed.
There was a problem hiding this comment.
Good idea. I'll look into that.
|
Oh, I was not aware that we want to support IE 10. That's ambitious :-) But you seem to imply that it is acceptable to ignore IE 10 in this case? The links will still work, of course. |
| @@ -38,17 +38,17 @@ public function getId() | |||
|
|
|||
| public function getDescription() | |||
| { | |||
| return 'You can use <a target="_blank" href="?module=Proxy&action=redirect&url=http://www.aspsms.com/en/?REF=227830"><img src="plugins/MobileMessaging/images/ASPSMS.png"/></a> to send SMS Reports from Piwik.<br/> | |||
| return 'You can use <a target="_blank" rel="noreferrer" href="http://www.aspsms.com/en/?REF=227830"><img src="plugins/MobileMessaging/images/ASPSMS.png"/></a> to send SMS Reports from Piwik.<br/> | |||
There was a problem hiding this comment.
For external links we would for now probably continue to use the proxy.
|
I would say for matomo.org links it should be fine, for external links I would probably still use the proxy until IE support is dropped. Any thoughts @mattab ? |
|
For external links to non matomo domains, would be best to use the proxy as long as we support IE10 👍 |
core/testMinimumPhpVersion.php
Outdated
| "\n\n<br/><br/>Note: if for some reasons you cannot install composer, instead install the latest Matomo release from ". | ||
| "<a href='https://builds.matomo.org/piwik.zip'>builds.matomo.org</a>.</p>"; | ||
| "<a href='https://builds.matomo.org/piwik.zip' rel='noreferrer noopener' target='_blank'>builds.matomo.org</a>.</p>"; |
There was a problem hiding this comment.
I think the target _blank is not needed here?
| @@ -37,7 +37,7 @@ | |||
| title="{{ 'CoreHome_SubscribeAndBecomePiwikSupporter'|translate }}"/> | |||
| <a class="donate-spacer">{{ 'CoreHome_MakeOneTimeDonation'|translate }}</a> | |||
| <a href="index.php?module=CoreHome&action=redirectToPaypal&idSite=1&cmd=_s-xclick&hosted_button_id=RPL23NJURMTFA&bb2_screener_=1357583494+83.233.186.82" | |||
| rel="noreferrer" target="_blank" class="donate-one-time">{{ 'CoreHome_MakeOneTimeDonation'|translate }}</a> | |||
| rel="noopener" target="_blank" class="donate-one-time">{{ 'CoreHome_MakeOneTimeDonation'|translate }}</a> | |||
There was a problem hiding this comment.
any reason noreferrer was removed here? is the redirectToPaypal removing the referrer? may be good to still have it.
There was a problem hiding this comment.
Hmm, no, seems like a casualty from my search-and-replace rampage :) I'll revert it.
plugins/Proxy/Controller.php
Outdated
| if (!self::isPiwikUrl($url)) { | ||
| Piwik::checkUserHasSomeViewAccess(); | ||
| } | ||
| Piwik::checkUserHasSomeViewAccess(); |
There was a problem hiding this comment.
I was thinking it will be still good to have previous logic but makes sense to always check now.
plugins/SEO/templates/getRank.twig
Outdated
| @@ -20,15 +20,15 @@ | |||
| {{ 'General_Error'|translate }} | |||
| {% else %} | |||
| {% set cleanUrl %} | |||
| <a href="http://{{ urlToRank }}" rel="noreferrer" target="_blank">{{ urlToRank }}</a> | |||
| <a href="?module=Proxy&action=redirect&url=http://{{ urlToRank|url_encode }}" rel="noopener" target="_blank">{{ urlToRank }}</a> | |||
There was a problem hiding this comment.
does http:// need to be url encoded?
There was a problem hiding this comment.
No (we don't do it elsewhere in hard-coded URLs).
| .data('text', title) | ||
| .data('maxLines', 3); | ||
|
|
||
| var h2 = self.centerBox.find('h2'); |
There was a problem hiding this comment.
Can you maybe explain these changes?
There was a problem hiding this comment.
Instead of using window.open(), links are created using regular tags, so they use the same mechanism for handling noreferrer noopener and action=redirect&url=... as everywhere else.
This allows right-click on links and selecting “Copy URL” from the context menu etc.
It was relevant in my first version of this PR before I reverted to use action=redirect&url=... (due to IE 10). I still think it is a good change (it streamlines noreferrer handling and avoids the UI problems with window.open()), but I guess it is not directly related to this PR. So I'll revert the changes from the PR and perhaps create a separate PR instead.
|
Tests still need some work. Stay tuned. |
c960657
force-pushed
the
proxy-redirect
branch
2 times, most recently
from
1d64056
to
e338f1a
Compare
|
Just a thought, but couldn't you add a shim for IE10 to do to proxy redirect, and that way use rel=noreferrer through-out? |
|
Something like the following pseudo-code: |
|
good idea @robocoder @c960657 |
|
@c960657 would you be keen on checking the idea @robocoder suggested? |
|
Sure :-) I have been busy the past week, but I'll get back to it shortly. |
c960657
force-pushed
the
proxy-redirect
branch
3 times, most recently
from
c548b45
to
1fcf3ba
Compare
|
TIL |
|
Yes, apparently so. I haven't been able to find an official source for this, but my own tests as well as various reports on Stack Overflow etc. seem to confirm it. For this reason, I have restored the changes to transitions.js. The existing code that uses Travis seems to be mostly happy now. There is one failing test in the CustomDimensions plugin that is a Git submodule. I don't know the procedure for dealing with such changes. A separate PR to the CustomDimensions repo after this PR has been merged? |
c960657
force-pushed
the
proxy-redirect
branch
3 times, most recently
from
79409e9
to
1bba0b1
Compare
|
Hi @c960657 will you be able to make the requested changes? I still see some links missing either |
|
I reckon we can otherwise also just merge eventually as it'll be still better than before. IMO it be fine if not all are changed at this stage. |
|
Moved my suggestion for an automated test to a new issue: #13204 |
* Replace proxy redirect with rel=noreferrer * Add noopener * Restore action=redirect for non-Matomo links * Wrap referring URLs * NO target on download link * Fix Github links * Fix whitespace * Fix tests * Revert change * Revert changes * Fix tests * Add noreferrer shim for MSIE 10 * Remove all action=redirect links * Restore noreferrer * Restore test * Fix one more occurrence * Update changelog * Combine if's * Fix changelog wording * Fix stray whitespace
All modern browsers support
rel=noreferrer. This seems like a better and easier way to link to external sites.When browsers eventually get support for Referer-Policy, all these
rel=noreferrercan be replaced with a single HTTP header.