New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace proxy redirect with rel=noreferrer #12780
Conversation
FYI: We support IE 10 which doesn't support noreferrer. However, we have been using |
core/ErrorHandler.php
Outdated
@@ -123,7 +123,7 @@ private static function getHtmlMessage($errno, $errstr, $errfile, $errline, $tra | |||
$message = ErrorHandler::getErrNoString($errno) . ' - ' . $errstr; | |||
|
|||
$html = "<p>There is an error. Please report the message (Matomo " . (class_exists('Piwik\Version') ? Version::VERSION : '') . ") | |||
and full backtrace in the <a href='?module=Proxy&action=redirect&url=https://forum.matomo.org' target='_blank'>Matomo forums</a> (please do a search first as it might have been reported already!).</p>"; | |||
and full backtrace in the <a target='_blank' rel='noreferrer' href='https://forum.matomo.org'>Matomo forums</a> (please do a search first as it might have been reported already!).</p>"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I reckon for security be also good to always add rel=noopener
so rel="noreferrer noopener"
but not needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea. I'll look into that.
Oh, I was not aware that we want to support IE 10. That's ambitious :-) But you seem to imply that it is acceptable to ignore IE 10 in this case? The links will still work, of course. |
@@ -38,17 +38,17 @@ public function getId() | |||
|
|||
public function getDescription() | |||
{ | |||
return 'You can use <a target="_blank" href="?module=Proxy&action=redirect&url=http://www.aspsms.com/en/?REF=227830"><img src="plugins/MobileMessaging/images/ASPSMS.png"/></a> to send SMS Reports from Piwik.<br/> | |||
return 'You can use <a target="_blank" rel="noreferrer" href="http://www.aspsms.com/en/?REF=227830"><img src="plugins/MobileMessaging/images/ASPSMS.png"/></a> to send SMS Reports from Piwik.<br/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For external links we would for now probably continue to use the proxy.
I would say for matomo.org links it should be fine, for external links I would probably still use the proxy until IE support is dropped. Any thoughts @mattab ? |
For external links to non matomo domains, would be best to use the proxy as long as we support IE10 👍 |
core/testMinimumPhpVersion.php
Outdated
"\n\n<br/><br/>Note: if for some reasons you cannot install composer, instead install the latest Matomo release from ". | ||
"<a href='https://builds.matomo.org/piwik.zip'>builds.matomo.org</a>.</p>"; | ||
"<a href='https://builds.matomo.org/piwik.zip' rel='noreferrer noopener' target='_blank'>builds.matomo.org</a>.</p>"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the target _blank is not needed here?
@@ -37,7 +37,7 @@ | |||
title="{{ 'CoreHome_SubscribeAndBecomePiwikSupporter'|translate }}"/> | |||
<a class="donate-spacer">{{ 'CoreHome_MakeOneTimeDonation'|translate }}</a> | |||
<a href="index.php?module=CoreHome&action=redirectToPaypal&idSite=1&cmd=_s-xclick&hosted_button_id=RPL23NJURMTFA&bb2_screener_=1357583494+83.233.186.82" | |||
rel="noreferrer" target="_blank" class="donate-one-time">{{ 'CoreHome_MakeOneTimeDonation'|translate }}</a> | |||
rel="noopener" target="_blank" class="donate-one-time">{{ 'CoreHome_MakeOneTimeDonation'|translate }}</a> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any reason noreferrer was removed here? is the redirectToPaypal removing the referrer? may be good to still have it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, no, seems like a casualty from my search-and-replace rampage :) I'll revert it.
plugins/Proxy/Controller.php
Outdated
if (!self::isPiwikUrl($url)) { | ||
Piwik::checkUserHasSomeViewAccess(); | ||
} | ||
Piwik::checkUserHasSomeViewAccess(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking it will be still good to have previous logic but makes sense to always check now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
plugins/SEO/templates/getRank.twig
Outdated
@@ -20,15 +20,15 @@ | |||
{{ 'General_Error'|translate }} | |||
{% else %} | |||
{% set cleanUrl %} | |||
<a href="http://{{ urlToRank }}" rel="noreferrer" target="_blank">{{ urlToRank }}</a> | |||
<a href="?module=Proxy&action=redirect&url=http://{{ urlToRank|url_encode }}" rel="noopener" target="_blank">{{ urlToRank }}</a> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does http:// need to be url encoded?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No (we don't do it elsewhere in hard-coded URLs).
.data('text', title) | ||
.data('maxLines', 3); | ||
|
||
var h2 = self.centerBox.find('h2'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you maybe explain these changes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of using window.open()
, links are created using regular tags, so they use the same mechanism for handling noreferrer noopener
and action=redirect&url=...
as everywhere else.
This allows right-click on links and selecting “Copy URL” from the context menu etc.
It was relevant in my first version of this PR before I reverted to use action=redirect&url=...
(due to IE 10). I still think it is a good change (it streamlines noreferrer
handling and avoids the UI problems with window.open()
), but I guess it is not directly related to this PR. So I'll revert the changes from the PR and perhaps create a separate PR instead.
Tests still need some work. Stay tuned. |
1d64056
to
e338f1a
Compare
Just a thought, but couldn't you add a shim for IE10 to do to proxy redirect, and that way use rel=noreferrer through-out? |
Something like the following pseudo-code:
|
good idea @robocoder @c960657 |
@c960657 would you be keen on checking the idea @robocoder suggested? |
Sure :-) I have been busy the past week, but I'll get back to it shortly. |
c548b45
to
1fcf3ba
Compare
TIL |
Yes, apparently so. I haven't been able to find an official source for this, but my own tests as well as various reports on Stack Overflow etc. seem to confirm it. For this reason, I have restored the changes to transitions.js. The existing code that uses Travis seems to be mostly happy now. There is one failing test in the CustomDimensions plugin that is a Git submodule. I don't know the procedure for dealing with such changes. A separate PR to the CustomDimensions repo after this PR has been merged? |
79409e9
to
1bba0b1
Compare
Hi @c960657 will you be able to make the requested changes? I still see some links missing either |
I reckon we can otherwise also just merge eventually as it'll be still better than before. IMO it be fine if not all are changed at this stage. |
Moved my suggestion for an automated test to a new issue: #13204 |
* Replace proxy redirect with rel=noreferrer * Add noopener * Restore action=redirect for non-Matomo links * Wrap referring URLs * NO target on download link * Fix Github links * Fix whitespace * Fix tests * Revert change * Revert changes * Fix tests * Add noreferrer shim for MSIE 10 * Remove all action=redirect links * Restore noreferrer * Restore test * Fix one more occurrence * Update changelog * Combine if's * Fix changelog wording * Fix stray whitespace
All modern browsers support
rel=noreferrer
. This seems like a better and easier way to link to external sites.When browsers eventually get support for Referer-Policy, all these
rel=noreferrer
can be replaced with a single HTTP header.