I ran a detectify.com scan on my site and it’s highlighted an issue with opening external links as _blank (opening in a new tab).
There is a good description of the vulnerability here:
The solution is to add the following parameter to the link:
rel=“noopener noreferrer”
I notice there is an option to add ‘No follow’ in Blocs, but can we please also have the option to add this for external links (or perhaps just automate this for external links)?
So, the security vulnerability is still being highlighted as follows, which isn’t great for a professional website where security is critical:
"In order to mitigate the issue, add the following attribue to your link(s): rel=“noopener noreferrer”
I therefore cannot find a solution to this, unless I remove the _blank target altogether. I think the proper solution is for Blocs to provide an option for this, or a way to make additions to the tag
Thanks for the suggestions. Sure it’s possible with hand coded insertions, although this isn’t ideal and just makes for added complication.
It seems for something like this, where it’s always going to be seen as a security issue for external links with a _blank target, that a cleaner solution be made abvailable via Blocs.
Until Blocs has that, those are two valid options in the mean time. (using Javascript is probably the easiest)
I did some reading on this, because it seems little talked about (in my circles anyway) and apparently its a non-issue if your linking to a trusted website, as the person exploiting the vulnerability has to have control of that page.
So with that in mind, icons to trusted social media sites would be a non-issue. And the CDA works on other links in Blocs fine.
Still submit a wish-list for it. Norm could probably put an optional tick box, like when you select new tab or apply it to every link?
Thanks, yeah I realise it’s not a genuine issue for trusted links, but it’s currently increasing our CVSS score which we report to clients. We have our own custom angular/JS website/platform, Blocs is used to generate our landing pages, so it would be nice to get a clean solution for this in the editor. We use Blocs for making quick and easy updates via Amazon S3, so we ideally don’t want to be making manual changes.
The code blocks would be a good temporary solution for now. I don’t really want to be messing around with JS for these pages.
It’s in the next version coming today build 4, its part of the no follow function on interactions, so if you set the no follow check off and then back on again it adds the attributes to the link.