Add rel="noopener" to links with target="_blank"
claviska opened this issue · comments
The security issue behind target="_blank"
has been popping up over the Internet recently:
https://mathiasbynens.github.io/rel-noopener/
https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/
The Problem
Without [
rel="noopener"
], the new page can access your window object viawindow.opener
. Thankfully the origin security model of the web prevents it reading your page, but no-thankfully some legacy APIs mean it can navigate your page to a different URL usingwindow.opener.location = newURL
.
The Solution
Links intended to open in a new window (via the Link panel) will receive the target="_blank"
attribute. These links should also receive the rel="noopener"
attribute if the href
is foreign.