Mozilla plans to introduce a change in an upcoming version of Firefox Stable that makes the handling of links more secure. The organization introduced an option in Firefox Nightly back in November 2018 that set the link attribute rel=”noopener” if target=”_blank” is set.
The target=”_blank” directive orders the web browser to open the target of the link in a new browser tab; otherwise, the link will be opened in the same tab.
The problem with target=”_blank” is that the resource of the link gets full control over the originating window object even if it is a different site. You can check out this — harmless — demo of how the linked resource may manipulate content on the originating page.
Basically, it allows the target site to change content on the originating site, e.g. to use it for phishing or to change information on the originating page. A user who switches back to the originating tab might not notice the manipulation.
Advertisers may abuse the functionality as well, e.g. to display advertisement on the linking site.
Webmasters may set rel=”noopener” for links to protect users and their sites against any form of manipulation. We set the attribute for all links automatically here on Ghacks, but many sites don’t.
Mozilla plans to set rel=”noopener” for all links that use target=”_blank” from Firefox 79 onward. It is interesting to note that setting rel=”noopener” may also improve performance.
Webmasters who want to retain the classic behavior need to set “rel=”opener” manually to ensure that the functionality remains active.
Mozilla plans to release Firefox 79 on July 28, 2020 according to the Firefox release schedule. It is unclear why it took so long to get implemented in Firefox Stable.
Apple has introduced the same functionality in the company’s Safari browser in March 2019, and Google plans to introduce it in Chrome as well in the future.
Firefox users and other browser users can also install browser extensions such as Don’t Touch My Tabs to set rel=”noopener” automatically.
Now You: Do you check links before you click on them? (via Sören Hentzschel)