[#6448] CB web address field - rel="noopener noreferrer"

Who is you to put noopener in the links of my website?

Who is you to tell me when I'd like to post what I think? 240 seconds restriction!?! lol

That is why I'm leaving you.

Sorry.

Good bye.

ricco1 wrote:

ricco1 wrote: Who is you to put noopener in the links of my website?

Who is you to tell me when I'd like to post what I think? 240 seconds restriction!?! lol

That is why I'm leaving you.

Sorry.

Good bye.

CB is open-source, people can improve their copy as they see fit, and also contribute back real improvements with code proposals.

As people can see above, you were showing "happy " after we listened to your feedback and having "noreferer" setting added, so that it's back as needed when needed.

We didn't see any use-case for removing noopener, nor requests so no reasons to add one more setting, while it is clearly a documented security issue when it is not there. See here why it is dangerous to have outlinks without noopener and why it needs to be there to protect your site and your users from sophisticated potential attacks.

If we would have to ask permission to everyone for each security tightening, or new feature, it would not be bearable.

Unrelated, Kunena seems to have now fixed their a bit annoying 240 seconds bug, and we're upgrading our forum this week-end.

We are not forcing anyone to come or to stay, No hard feelings. Wishing you to find a new solution where developers ask for permission for each new feature or security improvement, and where their forum never has a single bug. Good luck and Good bye!

We will stay with you some more time but we don't like your way of doing CB. Stop deciding on our behalf. Show me a community website that is using noopener!?

The below is why noopener was added.

mathiasbynens.github.io/rel-noopener/

It was added to protect your site from being hijacked through a browser vulnerability that browser developers refuse to fix or have taken far too long to do so. The default browser behavior should be noopener or at the very least do an origin check, but it doesn't.

Any website using noreferrer is also protected as it does noopener + hides the referrer. Facebook uses noopener for all user supplied external URLs. Google+ uses a middle-man redirect domain. Twitter uses middle-man redirect domain and noopener.

What is your argument against noopener in the first place? I'm trying to understand why you're so upset over this change that has zero negative impact on your site. If you've a usecase for needing noopener removed then please do explain as we are unable to determine any.

Additionally if you do not like how we output web address fields you can entirely customize how the field outputs using the Layout parameters

As you've said, it hides the referrer and I think hiding the referrer is bad.

I've checked fb and I couldn't find noopener anywhere.

I've tried customizing how the field outputs using the Layout parameters but I couldn't make it properly specially the http part.

It also irritates me that you've given us no option to control it.

I think both noreferrer and noopener are fundamentally wrong, not that I like them. They are fixing target=_blank, then something else will have to fix them.

Actually if you give us the option now I think I will leave it on, for now.

noopener does not hide the referrer. noreferrer does. We added a parameter to disable adding noreferrer to web address fields as per your request. Update to latest build and see Parameters > Display then set "Referrer this link" to "No Referrer". There will not be a parameter to turn off nooponer. There is no point in such a parameter. Using noopener has zero negative impact on your site. I've already provided a simple example of how user supplied URLs with _blank can exploit the opener.

I've checked fb and I couldn't find noopener anywhere.