To mitigate "tab-napping" attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target _blank should behave as if |rel="noopener"| is set. A page wishing to opt out of this behavior may set |rel="opener"|.

Motivation

To mitigate "tab-napping" attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target _blank should behave as if |rel="noopener"| is set. A page wishing to opt out of this behavior may set |rel="opener"|. https://html.spec.whatwg.org/#following-hyperlinks To get an element's noopener, given an a, area, or form element element and a string target, run these steps: ... If element's link types do not include the opener keyword and target is an ASCII case-insensitive match for "_blank", then return true. ...

Specification

Editor's draft

Status in Chromium

Blink>DOM


Enabled by default (tracking bug) in:

  • Chrome for desktop release 88
  • Chrome for Android release 88
  • Android WebView release 88

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Owner

Last updated on 2021-01-26