link-rel-noopener.md

link-rel-noopener

✅ The extends: 'recommended' property in a configuration file enables this rule.

🔧 The --fix option on the command line can automatically fix some of the problems reported by this rule.

When you want to link to an external page from your app, it is very common to use <a href="url" target="_blank"></a> to make the browser open this link in a new tab.

However, this practice has performance problems and also opens a door to some security attacks because the opened page can redirect the opener app to a malicious clone to perform phishing on your users.

Adding rel="noopener noreferrer" closes that door and avoids javascript in the opened tab to block the main thread in the opener. Also note that Firefox versions prior 52 do not implement noopener, so rel="noreferrer" should be used instead (see Firefox issue).

Examples

This rule forbids the following:

<a href="https://i.seem.secure.com" target="_blank">I'm a bait</a>

This rule allows the following:

<a href="https://i.seem.secure.com" target="_blank" rel="noopener noreferrer">I'm a bait</a>

Configuration

The following values are valid configuration:

• boolean (enable / disable) when true requires both noopener and noreferrer

References

• Link type "noreferrer" spec