Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#3636 closed enhancement (wontfix) - Add rel="noopener noreferrer" to links with target="_blank"

Reported by: garrett-eclipse's profile garrett-eclipse Owned by:
Milestone: Priority: normal
Component: WordCamp Site & Plugins Keywords:



While translating the new strings for I found a few with target="_blank" on them.

I believe for security they should have the rel="noopener noreferrer" attribute on them.

From some core tickets like #36809 that seems to be the recommendation.


Attachments (1)

Screen Shot 2018-05-24 at 10.24.29 PM.png (124.2 KB) - added by garrett-eclipse 6 years ago.
Strings with target="_blank" links

Download all attachments as: .zip

Change History (3)

6 years ago

Strings with target="_blank" links

#1 @iandunn
6 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

I think the reason Core added noreferer noopener to post_content links in #wp36809 was because the context there is arbitrary links, where the target site may not be trustworthy, and could launch a tabnabbing attack. The links in Screen Shot 2018-05-24 at 10.24.29 PM.png are hardcoded, though, and point to pages on, rather than a 3rd party site.

Core also has to provide tools for the majority, while the standards for sites are more tailored to our use cases. In general, the Security team doesn't consider phishing attacks to be a significant threat, and for tabnabbing in particular, the `noopener noreferrer` mitigation doesn't seem to work very well.

Given all that, I'm gonna go ahead and close this as wontfix, but anybody should feel free to reopen it you feel strongly that it makes sense.

#2 @garrett-eclipse
6 years ago

Thanks @iandunn, that makes sense to me. Greatly appreciated

Note: See TracTickets for help on using tickets.