File block: Remove rel attribute from text link; add migration#77345
File block: Remove rel attribute from text link; add migration#77345adamsilverstein wants to merge 1 commit into
Conversation
The File block's save function previously added rel="noreferrer noopener" to the text link when opened in a new tab. Modern browsers apply noopener implicitly for target="_blank" (Chrome 88+, Firefox 79+, Safari 12.1+), and noreferrer blocks legitimate referrer tracking without meaningful security benefit on supported browsers. Add a new v4 deprecation mirroring the current block schema but with the previous save output so existing saved blocks migrate cleanly on reload. Fixture added: core__file__new-window__deprecated-2 exercises the v4 migration path (input has rel="noreferrer noopener", output has no rel). Follow-up to WordPress#26968 per review feedback from @t-hamano.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
adamsilverstein
added
[Type] Bug
There was a problem hiding this comment.
I don't think this fixture file can correctly check if the v4 migration is working properly. Try to run 'npm run fixtures:regenerate' after deleting the v4 migration. This isValid field should remain true. In other words, this fixture will not break the block even if the v4 migration is absent. To ensure the v4 migration works correctly, I believe we need to validate it using HTML generated from a PDF file.
Additionally, the number 2 might be misunderstood as v2 migration, so a filename like core__file__deprecated-4.html might be better.
|
The improved block validation levels from #73116 might land soon. How will the new validation features affect this PR? Will the |
I have the same question and was thinking we should hold off on merging this until clarified. |
3 participants
Description
Follow-up to #26968 per @t-hamano's review feedback. The File block change was deferred from #26968 because its
save()function deterministically generates therelattribute, so changing the output invalidates existing saved blocks on reload. This PR handles the File block properly with a migration.Changes
save.js: Remove therelattribute entirely from the text link<a>. Modern browsers applynoopenerimplicitly fortarget="_blank"links (Chrome 88+, Firefox 79+, Safari 12.1+), so no meaningful security regression on supported browsers.noreferreris also dropped per the broader effort in Stop adding “noreferrer” to external links. #26968 / Stop adding rel=noreferrer to links that open in a new tab #26914.deprecated.js: Add a newv4deprecation at the top of the list, mirroring the current block'sattributesandsupportsexactly but emittingrel="noreferrer noopener". Nomigrate/isEligibleneeded — attributes are identical between v4 and the new current block; only the serializedreldiffers, which is the precise shape the deprecation system handles.core__file__new-window.*to reflect the new current save (norel). Addcore__file__new-window__deprecated-2.*to exercise the v4 migration path (input has oldrel, serialized output has none).Verification
npm run test:unit -- test/integration/full-content— all 372 fixture tests pass, including the newcore__file__new-window__deprecated-2.trunk, insert a File block, attach a PDF, enable "Open in new tab", save the post — post content containsrel="noreferrer noopener".v4.relattribute.Context
Types of changes
Behavior change — removes
rel="noreferrer noopener"from File block saved output. Existing saved blocks migrate via the newv4deprecation with no content loss.Checklist