Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disowning opener by default for target="_blank" links #2799

Open
Malvoz opened this issue Aug 8, 2019 · 4 comments
Open

Disowning opener by default for target="_blank" links #2799

Malvoz opened this issue Aug 8, 2019 · 4 comments
Labels
area:hint hacktoberfest hint-category:security

Comments

@Malvoz
Copy link
Member

Malvoz commented Aug 8, 2019
edited
Loading

This issue is about hint-disown-opener.

Developers have for some time been adviced to set rel="noopener" for outgoing target="_blank" links. However, WHATWG spec changes now says these links should imply noopener by default. That spec change also adds the opener link relation.

I suppose, changes to hint-disown-opener should wait until browsers actually implement this. And I think rather than looking for target="_blank" links to include rel="noopener" - instead perhaps warn if links contain rel="opener".

This is related to potential future checks for the Cross-Origin-Opener-Policy HTTP header mentioned in #1633.

Additionally, the rel attribute is now supported on <form> elements!
@antross
Copy link
Member

antross commented Aug 8, 2019
edited
Loading

Thanks for the heads-up @Malvoz!

I suppose, changes to hint-disown-opener should wait until browsers actually implement this.

Agree and I think we should tie this to the list of target browsers configured by the user. So if any target browser doesn't imply noopener by default webhint would give the current advice. If all target browsers imply noopener by default then webhint would even advise removing it as it would be unnecessary.

instead perhaps warn if links contain rel="opener"

That seems like a good addition to include too and can probably reported regardless of target browser.

@Malvoz
Copy link
Member Author

Malvoz commented Aug 8, 2019
edited
Loading

instead perhaps warn if links contain rel="opener"

That seems like a good addition to include too and can probably reported regardless of target browser.

I opened the same issue for Google's Lighthouse, their stand on warning for links using rel="opener":

we wouldn't ever flag explicit opener values since if you're explicitly opting in the assumption is that you needed to for some reason.

Which I think makes sense :)

@Malvoz
Copy link
Member Author

Malvoz commented Aug 12, 2019
edited
Loading

Implementation status:

https://bugs.chromium.org/p/chromium/issues/detail?id=898942
https://bugzilla.mozilla.org/show_bug.cgi?id=1503681
https://bugs.webkit.org/show_bug.cgi?id=190481

@molant
Copy link
Member

molant commented Sep 12, 2019

New bug for Firefox seems to be https://bugzilla.mozilla.org/show_bug.cgi?id=1522083. Also the feature hasn't landed yet :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:hint hacktoberfest hint-category:security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@molant @antross @hxlnt @Malvoz