New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add section about overriding for trusted links #2438
Conversation
docs/rules/jsx-no-target-blank.md
Outdated
@@ -74,6 +74,9 @@ var Hello = <Link target="_blank" to="/absolute/path/in/the/host"></Link> | |||
var Hello = <Link /> | |||
``` | |||
|
|||
## When To Override It | |||
For internal links, or links to a "safe" host, you may want to keep the HTTP Referer header for analytics purposes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you elaborate on what you mean by "safe"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated with additional text. To elaborate further on the reason for this change: this lint rule and the linked page make it sound like one should never use target="_blank" without noreferer and noopener. However, as I understand, if you control the site to which you are linking, there is no vulnerability. And there are good reasons to keep the referer header (e.g. interal analytics/tracking).
No description provided.