Track rel=noopener support

[martinsuchan]

This feature is already implemented in Chrome/Opera.

See:
https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener
https://mathiasbynens.github.io/rel-noopener/
http://caniuse.com/#feat=rel-noopener
https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/12942405-implement-rel-noopener

[wojstu]

Anyone has any idea if this will be considered? It would be so great if you could implement it.

Maybe @xiaoyinl @alrra, you guys could answer or ask somebody else in the team?

[coreyward]

Edge doesn't support window.opener on links targeting _blank, so there's not as much need for rel="noopener" support as with other browsers where the opener can be leaked to an external source.

[martinsuchan]

@coreyward Yes, Edge does not support rel=noopener on links, yet. Goal of this ticket is to track it and eventually implement support for this attribute in Edge.
Example how links targeting _blank without rel=noopener can be dangerous is available below.
Basically the target site can modify the origin site through the window.opener object, this could lead to all kinds of problems.
https://mathiasbynens.github.io/rel-noopener/

[coreyward]

@martinsuchan I just realized I had a typo. I've edited my comment. For clarity: Edge doesn't support window.opener, so the behavior is already the same as Chrome/Safari/Firefox when you use noopener. In other words, the security implications are already addressed and additional changes are not necessary.

[martinsuchan]

@coreyward Edge doesn't support window.opener - yes, it does:

[coreyward]

Perhaps you should add a test case to this issue demonstrating window.opener being available to an external webpage (different host, or in IE parlance, a different security zone) when using target="_blank".

[earbullet]

I used this page to test and it appears to work in both IE 11 and Edge.
https://davidebove.com/blog/2016/05/05/target_blank-the-vulnerability-in-your-browser/

According to can I use it says not supported, but they do appear to be supported.
https://caniuse.com/#feat=rel-noopener

So I'm not sure what is acceptable.

[Pedrofff]

The reason the link works in IE11 and Edge is because it contains both noopener and noreferrer. Only noopener doesent work in IE and Edge. A great way to test both links is to go to https://mathiasbynens.github.io/rel-noopener/.

[zac1st1k]

Hi there, just some updates regarding this topic.

Firefox shipped this since version 52
https://bugzilla.mozilla.org/show_bug.cgi?id=1222516

Safari shipped this since TP 17
https://bugs.webkit.org/show_bug.cgi?id=155166
https://webkit.org/blog/7071/release-notes-for-safari-technology-preview-17/

Chrome shipped this since version 49
https://bugs.chromium.org/p/chromium/issues/detail?id=168988

furthermore Make target=_blank imply noopener; support opener has been merged into WHATWG
whatwg/html#4330

Firefox shipped it since version 79
https://bugzilla.mozilla.org/show_bug.cgi?id=1522083

Safari shipped it since in TP 68
https://bugs.webkit.org/show_bug.cgi?id=190481
https://webkit.org/blog/8475/release-notes-for-safari-technology-preview-68/

Chromium is actively working on it and may ship it soon it seems.
https://bugs.chromium.org/p/chromium/issues/detail?id=898942

I think this issue becomes more serious. As it is reported by vulnerability scanning tools nowadays as a reverse tabnabbing exploit. May I ask if both rel=noopener and target=_blank imply noopener will be considered ? and will it be backported to EdgeHTML Edge 18?

Cheers.