You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The [noopener] keyword indicates that any newly created top-level browsing context which results from following the hyperlink will not be an auxiliary browsing context. E.g., its window.opener attribute will be null.
[noreferrer] indicates that no referrer information is to be leaked when following the link and also implies the noopener keyword behavior under the same conditions.
To summarize, it's the capacity to act on parent page's content or location from a newly opened page via the back link exposed by the opener JavaScript object instance.
To cut this back link, add the attribute rel="noopener" on the tag used to create the link from the parent page to the child page.
While OWASP does suggest also adding noreferrer, there are legitimate scenarios where sending the referrer is intended.
The purpose of this rule is to mitigate a security risk. If the maintainers wish to provide a means to enforce noreferrer, there should be an option or a separate rule.
The text was updated successfully, but these errors were encountered:
meeq
changed the title
jsx-no-target-blank does not respect noopener keywordjsx-no-target-blank does not accept noopener keyword
May 7, 2021
The rule enforces
noreferrer
, but it should also acceptnoopener
.As per the HTML Living Standard on Links (§4.6.6.13 Link type "noopener"):
As per the OWASP Cheatsheet on Reverse Tabnabbing:
While OWASP does suggest also adding
noreferrer
, there are legitimate scenarios where sending the referrer is intended.The purpose of this rule is to mitigate a security risk. If the maintainers wish to provide a means to enforce
noreferrer
, there should be an option or a separate rule.The text was updated successfully, but these errors were encountered: