Contrib.social

Allow rel noopener

Open on Drupal.org →
Created on 16 March 2018, over 6 years ago
Updated 14 February 2023, over 1 year ago

Problem/Motivation

When you link to a page on another site using the target="_blank" attribute, it opens in a new window and early versions of Chrome, Edge, Safari, etc. would pass a JavaScript reference to your page with the window.opener property, which the destination site could e.g. redirect your page to a malicious URL.

The solution prior to Chrome 49, Edge 79, Safari 16.2, Firefox 52, etc. was to add rel="noopener" to any links that had target="_blank". Note, however, this is still a bug in Internet Explorer 11 as of February 2023.

The Social Media Links Block and Field module can output links with target="_blank", so it may be worth adding rel="noopener" in that case.

More information: Links to cross-origin destinations are unsafe on Google Lighthouse docs, rel=noopener on MDN , rel=noopener on Can I Use

Steps to reproduce

  1. Install Drupal Core with the minimal install profile
  2. Download and install the social_media_links-8.x-2.x-dev
  3. Enable the field_ui, social_media_links, and social_media_links_field submodules.
  4. Go to /admin/structure/types/add and add a content type named page.
  5. Click the "save and manage fields" button.
  6. Click the add field link and select Social Media Links Field from the "Add a new field" dropdown.
  7. Set the label to social_test and click the "save and continue" button
  8. Click save field settings on the following page.
  9. Select a few platforms from the Platforms list and then click the "save settings" button
  10. Click manage display, click the gear next to social_test, expand the link attributes details, and set default target to "Open in a new browser window or tab (_blank)"
  11. Note the Default rel dropdown list, does not have a "noopener" option
  12. Click update and then save
  13. Go to /node/add/page
  14. Enter title, body, and values for the social_test fields
  15. Click save
  16. Inspect the HTML for the social media links, notice that they have target="_blank" attributes but they do not have rel="noopener" attributes

Proposed resolution

Change the "Default rel" select list to a checkboxes element in both the FieldFormatter settings and the Social Media Links Block settings, so that you can select more than one. Add external, noopener, and noreferrer options to the "Default rel" control.
Note that the patches in comments #15 and #17 include the config schema definition adapted from 🐛 Missing config schema for block RTBC

Remaining tasks

  3. and maintainer feedback
  4. Commit

User interface changes

the "Default rel" select list was changed to a checkboxes element in both the FieldFormatter settings and the Social Media Links Block settings

API changes

The "Default rel" option can contain more than one value; and the "" value no longer exists.

Data model changes

The "Default rel" option can have zero or more values instead of always having one.

Release notes snippet

Adds the "noopener", "external", and "noreferrer" options to the "Default rel" control for both the FieldFormatter settings and the Social Media Links Block settings

Original report by pietervanhove

Linking using target="_blank" poses a security vulnerability.

See documentation by Google for why you should use rel="noopener" in this case:
https://developers.google.com/web/tools/lighthouse/audits/noopener

Feature request
Status

RTBC

Version

2.0

Component

Code

Created by

🇧🇪Belgium pietervanhove

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇨🇦Canada AlexGreen

    Updated Issue Summary with more detailed explanation of the problem, proposed resolution, and added steps to reproduce.

    I tested the patch in #17 and it applied cleanly and manual testing worked. Brief code review suggest the code is easy to understand and makes good use of the API.

    I think keeping the config schema changes is worth it because it would have to make changes to the config schema proposed in 🐛 Missing config schema for block RTBC , i.e. to allow multiple values in the "Default rel" control. This will mean this needs a reroll when 3023172 is merged, but I think that is acceptable.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024