Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure all outgoing links have noreferrer #13204

Closed
diosmosis opened this issue Jul 24, 2018 · 5 comments
Closed

Make sure all outgoing links have noreferrer #13204

diosmosis opened this issue Jul 24, 2018 · 5 comments
Labels
c: Privacy For issues that impact or improve the privacy. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Milestone
4.6.0

Comments

@diosmosis
Copy link
Member

After #12780 is merged most links will have noopener noreferrer. To make sure all links now & in the future have this link, we should add a check to the UI test system:

  • After a screenshot test passes, scrape the page in phantomjs and look for links that are to other domains.
  • For each of these links, if it is missing noopener noreferrer, report an error and fail the test.
@diosmosis diosmosis added the c: Tests & QA For issues related to automated tests or making it easier to QA & test issues. label Jul 24, 2018
@diosmosis diosmosis added this to the 3.7.0 milestone Jul 24, 2018
@diosmosis diosmosis mentioned this issue Jul 24, 2018
Merged
@Findus23 Findus23 mentioned this issue Sep 25, 2018
Merged
@mattab mattab modified the milestones: 3.7.0, 3.8.0 Oct 11, 2018
@mattab mattab modified the milestones: 3.9.0, 3.10.0 Mar 18, 2019
@Findus23 Findus23 mentioned this issue May 25, 2019
Merged
@mattab mattab added this to the Priority Backlog (Help wanted) milestone Jun 18, 2019
@tsteur
Copy link
Member

tsteur commented Jul 22, 2020

Instead there could be also a JS that runs onDomReady, onDomLoad and when components are updated through angular or so to check for any outgoing link in the modified dom and set it dynamically.

@mattab mattab changed the title In UI tests automatically check if all outgoing links have noopener noreferrer Make sure all outgoing links have noopener noreferrer Sep 4, 2020
@mattab mattab added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. and removed c: Tests & QA For issues related to automated tests or making it easier to QA & test issues. labels Sep 4, 2020
@tsteur
Copy link
Member

tsteur commented Dec 21, 2020

Since browsers now set noopener by default we could close this issue I suppose. It be mostly something for IE11.

see https://www.chromestatus.com/feature/6140064063029248
https://bugzilla.mozilla.org/show_bug.cgi?id=1522083
https://webkit.org/blog/8475/release-notes-for-safari-technology-preview-68/
https://chromium-review.googlesource.com/c/chromium/src/+/1630010

@tsteur
Copy link
Member

tsteur commented Jul 26, 2021

Also we could be sending a Cross-Origin-Opener-Policy header. However, probably most of the browsers that support this header also apply noopener by default.

@tsteur tsteur added the c: Privacy For issues that impact or improve the privacy. label Jul 27, 2021
@tsteur tsteur changed the title Make sure all outgoing links have noopener noreferrer Make sure all outgoing links have noreferrer Jul 27, 2021
@tsteur
Copy link
Member

tsteur commented Jul 27, 2021
edited

For noopener we don't need to do any changes. Generally though, if we add noreferrer anyway, then we could also add noopener as well.

@Findus23 do we still need noreferrer in links considering we have #17382 ?

@tsteur tsteur added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Oct 21, 2021
@tsteur
Copy link
Member

tsteur commented Oct 21, 2021

@Findus23 closing this one as the referrer policy header should take already care of this. Let me know if that's not the case

@tsteur tsteur closed this as completed Oct 21, 2021
@justinvelluppillai justinvelluppillai modified the milestones: 4.7.0, 4.6.0 Nov 30, 2021
@GTVolk GTVolk mentioned this issue Jun 20, 2023
Open
@bx80 bx80 mentioned this issue Oct 9, 2023
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Privacy For issues that impact or improve the privacy. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
4.6.0
Development

No branches or pull requests
4 participants
@diosmosis @tsteur @mattab @justinvelluppillai