Stop adding `rel="noreferrer"` to external URLs

This property was added together with `noopener` to protect users with older web
browsers that do not yet support `noopener`. The latter now is well-supported since
several years and in fact even is the default value in modern web browsers.

This allows us to drop the `noreferrer` from those links safely. Stripping the
`referer` header can be more reliably achieved with the `referrer-policy`
header that also gives the administrator more fine-grained control.

diff --git a/wcfsetup/install/files/acp/templates/header.tpl b/wcfsetup/install/files/acp/templates/header.tpl
index 1b77185232b30f2a23e3cefbf44095470af57acd..228b61f7b51a75316050bcc44fe5dd0cc5f51e81 100644 (file)
--- a/wcfsetup/install/files/acp/templates/header.tpl
+++ b/wcfsetup/install/files/acp/templates/header.tpl
@@ -211,7 +211,6 @@
                                if (link.classList.contains('externalURL')) {
                                        var rel = (link.rel === '') ? [] : link.rel.split(' ');
                                        if (rel.indexOf('noopener') === -1) rel.push('noopener');
-                                       if (rel.indexOf('noreferrer') === -1) rel.push('noreferrer');
                                        
                                        link.rel = rel.join(' ');
                                }

diff --git a/wcfsetup/install/files/lib/system/html/output/node/HtmlOutputNodeA.class.php b/wcfsetup/install/files/lib/system/html/output/node/HtmlOutputNodeA.class.php
index 60e185242d537b293baa82b7065e3a861205f34a..501724c7be9c60020539911db9cfdeb56f5b2908 100644 (file)
--- a/wcfsetup/install/files/lib/system/html/output/node/HtmlOutputNodeA.class.php
+++ b/wcfsetup/install/files/lib/system/html/output/node/HtmlOutputNodeA.class.php
@@ -77,7 +77,7 @@ class HtmlOutputNodeA extends AbstractHtmlOutputNode
 
         $rel = 'nofollow';
         if (EXTERNAL_LINK_TARGET_BLANK) {
-            $rel .= ' noopener noreferrer';
+            $rel .= ' noopener';
 
             $element->setAttribute('target', '_blank');
         }

diff --git a/wcfsetup/install/files/lib/system/template/plugin/AnchorAttributesFunctionTemplatePlugin.class.php b/wcfsetup/install/files/lib/system/template/plugin/AnchorAttributesFunctionTemplatePlugin.class.php
index 757fbcc5d8a8120f8b337e08ed7d8ac364c5a36e..745bf92549c70e6597f170a03c75ae0fab14b84c 100644 (file)
--- a/wcfsetup/install/files/lib/system/template/plugin/AnchorAttributesFunctionTemplatePlugin.class.php
+++ b/wcfsetup/install/files/lib/system/template/plugin/AnchorAttributesFunctionTemplatePlugin.class.php
@@ -59,7 +59,7 @@ class AnchorAttributesFunctionTemplatePlugin implements IFunctionTemplatePlugin
 
             $rel = 'nofollow';
             if (EXTERNAL_LINK_TARGET_BLANK) {
-                $rel .= ' noopener noreferrer';
+                $rel .= ' noopener';
                 $attributes .= ' target="_blank"';
             }
             if ($isUgc) {

diff --git a/wcfsetup/install/files/lib/util/StringUtil.class.php b/wcfsetup/install/files/lib/util/StringUtil.class.php
index d3fb521faf126de6e236cd4d93ff5c412d9def2b..377912bb98df0f98e788920aac11ff2181633078 100644 (file)
--- a/wcfsetup/install/files/lib/util/StringUtil.class.php
+++ b/wcfsetup/install/files/lib/util/StringUtil.class.php
@@ -763,7 +763,7 @@ final class StringUtil
             $attributes .= ' class="externalURL"';
             $rel = 'nofollow';
             if (EXTERNAL_LINK_TARGET_BLANK) {
-                $rel .= ' noopener noreferrer';
+                $rel .= ' noopener';
                 $attributes .= 'target="_blank"';
             }
             if ($isUgc) {