← Back to release summary

Anchor target=_blank implies rel=noopener by default

Category

Security

Type

No developer-visible change

Status

Enabled by default (Chrome 88)

Intent stage

Prepare to ship

Summary

To mitigate "tab-napping" attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target _blank should behave as if |rel="noopener"| is set. A page wishing to opt out of this behavior may set |rel="opener"|.

Motivation

To mitigate "tab-napping" attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target _blank should behave as if |rel="noopener"| is set. A page wishing to opt out of this behavior may set |rel="opener"|. https://html.spec.whatwg.org/#following-hyperlinks To get an element's noopener, given an a, area, or form element element and a string target, run these steps: ... If element's link types do not include the opener keyword and target is an ASCII case-insensitive match for "_blank", then return true. ...

Standards & signals

• Specification: https://html.spec.whatwg.org/#following-hyperlinks
• Firefox: Shipped/Shipping
• Safari: Shipped/Shipping
• Web developers: Positive — Generally, a security improvement. Security scanners have started to complain about cross-origin hyperlinks that fail to specify noopener: https://bugs.chromium.org/p/chromium/issues/detail?id=898942#c21
• Tracking bug: https://crbug.com/898942

Explainers: https://html.spec.whatwg.org/#following-hyperlinks

View on chromestatus.com