Skip to content

Commit

Permalink
<a target="_blank"> has implicit noopener as per spec.
Browse files Browse the repository at this point in the history
See: whatwg/html#4330

Removed the wordings that could imply the behavior is vendor-specific.
Added links to Browser compatibility for easy reference.
  • Loading branch information
kiding committed Feb 10, 2021
1 parent 91d2f42 commit 517d127
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion files/en-us/web/api/window/opener/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ <h3 id="Value">Value</h3>
<code>{{htmlattrxref("rel", "a")}}=noopener</code> on a link, or passing
<code>noopener</code> in the {{domxref("Window.open", "windowFeatures")}} parameter.
</li>
<li>From Firefox 79, windows opened because of links with a {{htmlattrxref("target",
<li>Windows opened because of links with a {{htmlattrxref("target",
"a")}} of <code>_blank</code> don't get an <code>opener</code>, unless explicitly
requested with <code>{{htmlattrxref("rel", "a")}}=opener</code>.</li>
<li>Having a {{HTTPHeader("Cross-Origin-Opener-Policy")}} header with a value of
Expand Down
4 changes: 2 additions & 2 deletions files/en-us/web/html/element/a/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ <h2 id="Attributes">Attributes</h2>
</div>

<div class="note">
<p><strong>Note:</strong> In newer browser versions (e.g. Firefox 79+) setting <code>target="_blank"</code> on <code>&lt;a&gt;</code> elements implicitly provides the same <code>rel</code> behavior as setting <code>rel="noopener"</code>.</p>
<p><strong>Note:</strong> Setting <code>target="_blank"</code> on <code>&lt;a&gt;</code> elements implicitly provides the same <code>rel</code> behavior as setting <code>rel="noopener"</code>. See <a href="#Browser_compatibility">browser compatibility</a> for support status.</p>
</div>
</dd>
<dt id="type">{{HTMLAttrDef("type")}}</dt>
Expand Down Expand Up @@ -319,7 +319,7 @@ <h2 id="Security_and_privacy">Security and privacy</h2>

<p><code>&lt;a&gt;</code> elements can have consequences for users’ security and privacy. See <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns"><code>Referer</code> header: privacy and security concerns</a> for information.</p>

<p>Using <code>target="_blank"</code> without <code>rel="noreferrer"</code> and <code>rel="noopener"</code> makes the website vulnerable to {{domxref("window.opener")}} API exploitation attacks (<a href="https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/">vulnerability description</a>), although note that, in newer browser versions (e.g. Firefox 79+) setting <code>target="_blank"</code> implicitly provides the same protection as setting <code>rel="noopener"</code>.</p>
<p>Using <code>target="_blank"</code> without <code>rel="noreferrer"</code> and <code>rel="noopener"</code> makes the website vulnerable to {{domxref("window.opener")}} API exploitation attacks (<a href="https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/">vulnerability description</a>), although note that, in newer browser versions setting <code>target="_blank"</code> implicitly provides the same protection as setting <code>rel="noopener"</code>. See <a href="#browser_compatibility">browser compatibility</a> for details.</p>

<h2 id="Accessibility">Accessibility</h2>

Expand Down

0 comments on commit 517d127

Please sign in to comment.