Skip to Content Skip to Menu

🌟 CB Editor Assistant 1.0.0 is here! Discover our new AI Joomla Plugin that wrote its story! (and this banner!)
Start at just $12.50/month* or 💸 save 30% with our 🛍️ Intro Black Friday Offer for a lifetime*

[#6448] CB web address field - rel="noopener noreferrer"

  • ricco1
  • ricco1
  • OFFLINE
  • Posts: 310
  • Thanks: 8
  • Karma: -7
7 years 9 months ago - 7 years 9 months ago #291522 by ricco1
Who is you to put noopener in the links of my website?

Who is you to tell me when I'd like to post what I think? 240 seconds restriction!?! lol

That is why I'm leaving you.

Sorry.

Good bye.
Last edit: 7 years 9 months ago by ricco1. Reason: bye-bye
The topic has been locked.
  • beat
  • beat
  • OFFLINE
  • Posts: 2171
  • Thanks: 463
  • Karma: 352
7 years 9 months ago - 7 years 9 months ago #291525 by beat

ricco1 wrote: :)

ricco1 wrote: Who is you to put noopener in the links of my website?

Who is you to tell me when I'd like to post what I think? 240 seconds restriction!?! lol

That is why I'm leaving you.

Sorry.

Good bye.


CB is open-source, people can improve their copy as they see fit, and also contribute back real improvements with code proposals.

As people can see above, you were showing "happy :) " after we listened to your feedback and having "noreferer" setting added, so that it's back as needed when needed.

We didn't see any use-case for removing noopener, nor requests so no reasons to add one more setting, while it is clearly a documented security issue when it is not there. See here why it is dangerous to have outlinks without noopener and why it needs to be there to protect your site and your users from sophisticated potential attacks.

If we would have to ask permission to everyone for each security tightening, or new feature, it would not be bearable.

Unrelated, Kunena seems to have now fixed their a bit annoying 240 seconds bug, and we're upgrading our forum this week-end.

We are not forcing anyone to come or to stay, No hard feelings. Wishing you to find a new solution where developers ask for permission for each new feature or security improvement, and where their forum never has a single bug. Good luck and Good bye! :)

Beat - Community Builder Team Member

Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks :)
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info
Last edit: 7 years 9 months ago by beat. Reason: semantic typo
The topic has been locked.
  • ricco1
  • ricco1
  • OFFLINE
  • Posts: 310
  • Thanks: 8
  • Karma: -7
7 years 9 months ago - 7 years 9 months ago #291568 by ricco1
We will stay with you some more time but we don't like your way of doing CB. Stop deciding on our behalf. Show me a community website that is using noopener!?
Last edit: 7 years 9 months ago by ricco1.
The topic has been locked.
  • krileon
  • krileon
  • ONLINE
  • Posts: 48551
  • Thanks: 8291
  • Karma: 1445
7 years 9 months ago #291569 by krileon
The below is why noopener was added.

mathiasbynens.github.io/rel-noopener/

It was added to protect your site from being hijacked through a browser vulnerability that browser developers refuse to fix or have taken far too long to do so. The default browser behavior should be noopener or at the very least do an origin check, but it doesn't.

Any website using noreferrer is also protected as it does noopener + hides the referrer. Facebook uses noopener for all user supplied external URLs. Google+ uses a middle-man redirect domain. Twitter uses middle-man redirect domain and noopener.

What is your argument against noopener in the first place? I'm trying to understand why you're so upset over this change that has zero negative impact on your site. If you've a usecase for needing noopener removed then please do explain as we are unable to determine any.

Additionally if you do not like how we output web address fields you can entirely customize how the field outputs using the Layout parameters


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
The following user(s) said Thank You: beat, nant, ricco1
The topic has been locked.
  • ricco1
  • ricco1
  • OFFLINE
  • Posts: 310
  • Thanks: 8
  • Karma: -7
7 years 9 months ago - 7 years 9 months ago #291686 by ricco1
As you've said, it hides the referrer and I think hiding the referrer is bad.

I've checked fb and I couldn't find noopener anywhere.

I've tried customizing how the field outputs using the Layout parameters but I couldn't make it properly specially the http part.

It also irritates me that you've given us no option to control it.

I think both noreferrer and noopener are fundamentally wrong, not that I like them. They are fixing target=_blank, then something else will have to fix them.

Actually if you give us the option now I think I will leave it on, for now.
Last edit: 7 years 9 months ago by ricco1.
The topic has been locked.
  • krileon
  • krileon
  • ONLINE
  • Posts: 48551
  • Thanks: 8291
  • Karma: 1445
7 years 9 months ago #291689 by krileon
noopener does not hide the referrer. noreferrer does. We added a parameter to disable adding noreferrer to web address fields as per your request. Update to latest build and see Parameters > Display then set "Referrer this link" to "No Referrer". There will not be a parameter to turn off nooponer. There is no point in such a parameter. Using noopener has zero negative impact on your site. I've already provided a simple example of how user supplied URLs with _blank can exploit the opener.

I've checked fb and I couldn't find noopener anywhere.



Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Attachments:
The following user(s) said Thank You: beat
The topic has been locked.
Moderators: beatnantkrileon
Powered by Kunena Forum