#3636 closed enhancement (wontfix)
WordCamp.org - Add rel="noopener noreferrer" to links with target="_blank"
Reported by: | garrett-eclipse | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | WordCamp Site & Plugins | Keywords: | |
Cc: |
Description
Hello,
While translating the new strings for WordCamp.org I found a few with target="_blank" on them.
I believe for security they should have the rel="noopener noreferrer"
attribute on them.
From some core tickets like #36809 that seems to be the recommendation.
Cheers
Attachments (1)
Change History (3)
#1
@
6 years ago
- Resolution set to wontfix
- Status changed from new to closed
I think the reason Core added noreferer noopener
to post_content
links in #wp36809 was because the context there is arbitrary links, where the target site may not be trustworthy, and could launch a tabnabbing attack. The links in Screen Shot 2018-05-24 at 10.24.29 PM.png are hardcoded, though, and point to pages on wordcamp.org, rather than a 3rd party site.
Core also has to provide tools for the majority, while the standards for w.org sites are more tailored to our use cases. In general, the Security team doesn't consider phishing attacks to be a significant threat, and for tabnabbing in particular, the `noopener noreferrer` mitigation doesn't seem to work very well.
Given all that, I'm gonna go ahead and close this as wontfix
, but anybody should feel free to reopen it you feel strongly that it makes sense.
Strings with target="_blank" links