jsx-no-target-blank does not accept noopener keyword

[meeq]

The rule enforces noreferrer, but it should also accept noopener.

As per the HTML Living Standard on Links (§4.6.6.13 Link type "noopener"):

The [noopener] keyword indicates that any newly created top-level browsing context which results from following the hyperlink will not be an auxiliary browsing context. E.g., its window.opener attribute will be null.

[noreferrer] indicates that no referrer information is to be leaked when following the link and also implies the noopener keyword behavior under the same conditions.

As per the OWASP Cheatsheet on Reverse Tabnabbing:

To summarize, it's the capacity to act on parent page's content or location from a newly opened page via the back link exposed by the opener JavaScript object instance.

To cut this back link, add the attribute rel="noopener" on the tag used to create the link from the parent page to the child page.

While OWASP does suggest also adding noreferrer, there are legitimate scenarios where sending the referrer is intended.

The purpose of this rule is to mitigate a security risk. If the maintainers wish to provide a means to enforce noreferrer, there should be an option or a separate rule.

[ljharb]

Duplicate of #2924. Fixed in #2925.