[wp-meta] [Making WordPress.org] #3636: WordCamp.org - Add rel="noopener noreferrer" to links with target="_blank"
Making WordPress.org
noreply at wordpress.org
Fri May 25 14:08:07 UTC 2018
#3636: WordCamp.org - Add rel="noopener noreferrer" to links with target="_blank"
-------------------------------------+----------------------
Reporter: garrett-eclipse | Owner: (none)
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: WordCamp Site & Plugins | Resolution: wontfix
Keywords: |
-------------------------------------+----------------------
Changes (by iandunn):
* status: new => closed
* resolution: => wontfix
Comment:
I think the reason Core added `noreferer noopener` to `post_content` links
in #wp36809 was because the context there is arbitrary links, where the
target site may not be trustworthy, and could launch a tabnabbing attack.
The links in [attachment:"Screen Shot 2018-05-24 at 10.24.29 PM.png"] are
hardcoded, though, and point to pages on wordcamp.org, rather than a 3rd
party site.
Core also has to provide tools for the majority, while the standards for
w.org sites are more tailored to our use cases. In general,
[https://hackerone.com/wordpress the Security team doesn't consider
phishing attacks to be a significant threat], and for tabnabbing in
particular, [https://sites.google.com/site/bughunteruniversity/nonvuln
/phishing-with-window-opener the `noopener noreferrer` mitigation doesn't
seem to work very well].
Given all that, I'm gonna go ahead and close this as `wontfix`, but
anybody should feel free to reopen it you feel strongly that it makes
sense.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/3636#comment:1>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list