Tryton - Issues

 

Issue9089

Title Missing noreferrer noopener on external links
Priority urgent Status resolved
Superseder Nosy List bch, ced, nicoe, pokoli, roundup-bot, sharkcz, yangoon
Type security Components sao
Assigned To ced Keywords review
Reviews 289401002
View: 289401002

Created on 2020-02-25.17:59:51 by ced, last changed by roundup-bot.

Messages
New changeset e15bb19e954f by Cédric Krier in branch 'default':
Add noreferrer noopener to external URL
https://hg.tryton.org/tryton-env/rev/e15bb19e954f

New changeset f67e15947726 by Cédric Krier in branch 'default':
Add noreferrer noopener to window.open calls
https://hg.tryton.org/tryton-env/rev/f67e15947726
New changeset ecd678a55935 by Cédric Krier in branch 'default':
Add noreferrer noopener to external URL
https://hg.tryton.org/sao/rev/ecd678a55935

New changeset 53a4ae64df70 by Cédric Krier in branch '5.4':
Add noreferrer noopener to external URL
https://hg.tryton.org/sao/rev/53a4ae64df70

New changeset 2083a2128a0f by Cédric Krier in branch '5.2':
Add noreferrer noopener to external URL
https://hg.tryton.org/sao/rev/2083a2128a0f

New changeset 21b7b747377a by Cédric Krier in branch '5.0':
Add noreferrer noopener to external URL
https://hg.tryton.org/sao/rev/21b7b747377a

New changeset c7bd1a068915 by Cédric Krier in branch 'default':
Add noreferrer noopener to window.open calls
https://hg.tryton.org/sao/rev/c7bd1a068915

New changeset 74e7456fe856 by Cédric Krier in branch '5.4':
Add noreferrer noopener to window.open calls
https://hg.tryton.org/sao/rev/74e7456fe856

New changeset ec2b95efffe0 by Cédric Krier in branch '5.2':
Add noreferrer noopener to window.open calls
https://hg.tryton.org/sao/rev/ec2b95efffe0

New changeset f8623c2879aa by Cédric Krier in branch '5.0':
Add noreferrer noopener to window.open calls
https://hg.tryton.org/sao/rev/f8623c2879aa
msg56032 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2020-03-04.00:18:51
I propose to re-schedule the security release on 9th March about 18:00 CET
msg56020 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2020-03-03.11:10:05
I will postpone the release to include issue9108. I think it is better to have one single security release to avoid unnecessary work for system operators.
msg55966 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2020-03-01.17:12:51
Still "You do not have permission to view this issue".
msg55666 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2020-03-01.11:02:05
I propose to make the security release this Tuesday 3rd March at about 18:00 CET. And to publish the security news the 4th at 18:00.
msg55593 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2020-02-25.23:41:28
You do not have permission to view this issue

Could please the nosy list be added to security reviews?
msg55582 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2020-02-25.17:59:50
In sao, the widget URL, which may contain external URLs, does not set noreferrer noopener like it is advised on MDN[1].
A crafted URL opened from this widget may take control of the page where sao is running and steal information like session.
So I think we should always set the recommended attribute for all href pointing to external resources.

[1] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#attr-target
History
Date User Action Args
2020-03-09 18:49:08roundup-botsetmessages: + msg56158
2020-03-09 18:44:04roundup-botsetstatus: testing -> resolved
nosy: + roundup-bot
messages: + msg56156
keyword: - backport
2020-03-04 00:18:51cedsetmessages: + msg56032
2020-03-03 11:10:05cedsetmessages: + msg56020
2020-03-01 17:12:51yangoonsetmessages: + msg55966
2020-03-01 11:02:05cedsetmessages: + msg55666
2020-02-25 23:41:28yangoonsetmessages: + msg55593
2020-02-25 18:03:00cedsetpriority: bug -> urgent
2020-02-25 18:02:45cedsetkeyword: + backport
2020-02-25 18:02:00cedsetstatus: in-progress -> testing
reviews: 289401002
keyword: + review

Showing 10 items. Show all history (warning: this could be VERY long)