Textpattern CMS

#13 2020-05-18 17:12:23

Bloke

Developer

From: Leeds, UK

Registered: 2006-01-29

Posts: 11,447

Website GitHub

Re: Unsafe use of target blank

I’ve added noopener to the author_uri links in the Themes and Plugins panels from 4.8.1. Hope that helps in some way with this.

---

The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

#14 2020-05-18 17:33:23

singaz

Member

Registered: 2017-03-12

Posts: 150

Re: Unsafe use of target blank

phiw13 , Bloke

Thank you!

---

_{Sorry my horror English. I’m learning textpattern, I’m learning English}

#15 2020-05-19 09:18:05

philwareham

Core designer

From: Haslemere, Surrey, UK

Registered: 2009-06-11

Posts: 3,564

Website GitHub Mastodon

Re: Unsafe use of target blank

Bloke wrote #323029:

I’ve added noopener to the author_uri links in the Themes and Plugins panels from 4.8.1. Hope that helps in some way with this.

Erm, why are we doing this exactly? These links don’t target a new window/tab as far as I remember so adding that to the rel attribute is not going to do anything.

I’ve already added this security months ago, where needed, in the core and that was released as of Textpattern 4.8.0.

To summarise:

noopener is only needed when target="_blank" is used, to mitigate tab-jacking. And we already do that anywhere it is in core.

noreferrer prevents the linked resource from knowing the originator (and is a companion for your Referrer-Policy header). Not really relevant to Textpattern core.

#16 2020-05-19 09:27:27

Bloke

Developer

From: Leeds, UK

Registered: 2006-01-29

Posts: 11,447

Website GitHub

Re: Unsafe use of target blank

philwareham wrote #323037:

Erm, why are we doing this exactly? These links don’t target a new window/tab as far as I remember so adding that to the rel attribute is not going to do anything.

My bad. I’ll revert it. I thought it would help if people chose to open the link in a new tab.

Edit: Oh, you’ve done it. Thanks!

Last edited by Bloke (2020-05-19 09:28:01)

---

The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

#17 2020-05-19 09:28:03

philwareham

Core designer

From: Haslemere, Surrey, UK

Registered: 2009-06-11

Posts: 3,564

Website GitHub Mastodon

Re: Unsafe use of target blank

Bloke wrote #323039:

My bad. I’ll revert it.

I’ve done a partial revert today – no worries. Cheers Stef.

#18 2020-05-19 09:35:56

philwareham

Core designer

From: Haslemere, Surrey, UK

Registered: 2009-06-11

Posts: 3,564

Website GitHub Mastodon

Re: Unsafe use of target blank

Bloke wrote #323039:

I thought it would help if people chose to open the link in a new tab.

If a user manually opens a link in a new tab via a right-click context menu option, that is automatically ring-fenced by the browser against the aforementioned security risk I believe.

#19 2020-05-19 09:42:14

Bloke

Developer

From: Leeds, UK

Registered: 2006-01-29

Posts: 11,447

Website GitHub

Re: Unsafe use of target blank

philwareham wrote #323042:

If a user manually opens a link in a new tab via a right-click context menu option, that is automatically ring-fenced by the browser against the aforementioned security risk I believe.

Good to know, thanks!

---

The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

#20 2020-05-19 10:08:15

phiw13

Plugin Author

From: Japan

Registered: 2004-02-27

Posts: 3,189

Website

Re: Unsafe use of target blank

philwareham wrote #323037:

noopener is only needed when target="_blank" is used, to mitigate tab-jacking. And we already do that anywhere it is in core.

You may want to add a noopener to the link-to-textpattern-site in the footer of every page of the admin side. Oh, and on the Write tab, the ”view” link is also target=_blank (to give it the same treatment as that the link-to-site in the <header />).

---

Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

#21 2020-05-19 10:17:26

philwareham

Core designer

From: Haslemere, Surrey, UK

Registered: 2009-06-11

Posts: 3,564

Website GitHub Mastodon

Re: Unsafe use of target blank

Maybe, but I felt Textpattern.com won’t ever try to tab-jack and if you tab-jack yourself from your own site… well!

#22 2020-05-19 10:23:06

phiw13

Plugin Author

From: Japan

Registered: 2004-02-27

Posts: 3,189

Website

Re: Unsafe use of target blank

philwareham wrote #323045:

Maybe, but I felt Textpattern.com won’t ever try to tab-jack and if you tab-jack yourself from your own site… well!

Hmm… Site name. Consistency… Agree about tab-jacking one-self being a little funny.

As for Textpattern site. Who knows…

---

Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

#23 2020-05-19 11:12:39

philwareham

Core designer

From: Haslemere, Surrey, UK

Registered: 2009-06-11

Posts: 3,564

Website GitHub Mastodon

Re: Unsafe use of target blank

OK, I have added noopener everywhere a new window is called now – a bit overkill but it can’t hurt.

#24 2020-07-29 05:18:08

phiw13

Plugin Author

From: Japan

Registered: 2004-02-27

Posts: 3,189

Website

Re: Unsafe use of target blank

phiw13 wrote #322851:

That short article mentions rel="noopener" to mitigate the issue. I think that it is now the default on at least Safari (and Firefox ?), see Mathias‘ note.

Starting with Firefox 79, rel=noopener is implicit with target=_blank links, basically mimicking the behaviour implemented by Safari many moons ago. See the release note.

---

Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern