About that, you should add rel="noopener" (and maybe noreferer too) there, or the linked site could inject JS in yours, a security risk for your visitors.
I have a little usercss that adds a warning picture (::after { content: "pic"; }) on _target without noopener and especially Github is bad there.
I’ve made a userscript that puts a rel="noopener" on target=“_blank” links where missing, with no issues for about half a year usage. While noreferer breaks some payment processors and the like. Sadly, i lost it a few months ago, need to redo it sometime.
For quick reference, here is the first section from the MSDN docs:
The noopener keyword for the rel attribute of the <a>, <area>, and <form> elements instructs the browser to navigate to the target resource without granting the new browsing context access to the document that opened it — by not setting the Window.opener property on the opened window (it returns null).
About that, you should add
rel="noopener"(and maybenoreferertoo) there, or the linked site could inject JS in yours, a security risk for your visitors.I have a little usercss that adds a warning picture (
::after { content: "pic"; }) on _target without noopener and especially Github is bad there.Can you share some reference? I don’t understand how some linked site could affect the site containing it.
Stackoverflow, but here you go.
I’ve made a userscript that puts a
rel="noopener"on target=“_blank” links where missing, with no issues for about half a year usage. Whilenorefererbreaks some payment processors and the like. Sadly, i lost it a few months ago, need to redo it sometime.Thanks, really good to know.
For quick reference, here is the first section from the MSDN docs:
the answers say these are not recommended anymore, because browsers changed their defaults a long time ago
I’ve looked into Firefox’ bugtracker and there it’s “solved” by not doing it because nobody else does it.
they changed their mind in ff 72: https://hacks.mozilla.org/2020/07/firefox-79/
also see: