Skip to main content

Cookie settings

We use cookies to ensure the basic functionalities of the website and to enhance your online experience. You can choose for each category to opt-in/out whenever you want.

Essential

Preferences

Analytics and statistics

Marketing

This proposal has been implemented

  • Reviewed by @product and accepted in the main project
  • Developed by Mainio Tech
  • Available in release 0.25 via #7397

[Security] Add an external link warning

Avatar: AH AH Main repo (merged)

**Is your feature request related to a problem? Please describe.**

Currently there are external links in Decidim, some of which can be entered by the participant users (comments, private messages, profile link, etc.). This can potentially expose the users to phishing attacks in case a malicious user enters a link to a site they control where they have implemented exactly the same layout as the source site. This kind of attempt could trick the user e.g. to enter their password on a site which is no longer the site they assume.

**Describe the solution you'd like**

There should be a special page inside Decidim which warns a user that they are about the leave the site to an external page. The user should be able to click a button to agree that they understand they are leaving the site. Clicking the button should open the actual target URL.

**Describe alternatives you've considered**

One alternative could be opening a popup on the same page which warns the user before agreeing to go to another page. This would, however, leave users without JavaScript enabled exposed to such attacks.

**Additional context**

Each of these "special" warning pages should have a unique URL in order not to affect how search engines process the links.

The special page should also have the "noindex" meta tag define on them in order to keep these warning pages out from the search indexes.

Additionally, I'd like some sort of a way to control the external links domain "whitelists" which would open without this warning. This could be needed e.g. for the city's own site's which generally do not expose such security issues.

In the attachment, there is an example of such warning page implemented at HackerOne. **Does this issue could impact on users private data?**

Yes, it has a potential positive affect on users' private data, keeping them more secured.

**Funded by**

Not funded.

Comment

Confirm

Please log in

The password is too short.

Share