Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.target() should set noreferrer and noopener #7

Open
hilbix opened this issue Nov 26, 2023 · 0 comments
Open

.target() should set noreferrer and noopener #7

hilbix opened this issue Nov 26, 2023 · 0 comments

Comments

@hilbix
Copy link
Owner

hilbix commented Nov 26, 2023
edited
Loading

This probably is a breaking change.

When using E.A.target() this should set the .attr({rel:'noreferrer noopener'}) by default.
There can be some option which reverts this, such that the opened target can refer to opener/referrer.

This is good for following reasons:

  • As a nobrainer, it should always be as secure as possible.

    • When A is used with a .target this usually means another window is opened, not the same window
    • When this new window is on a different origin, it should not be able to access window.opener nor the referrer by default for privacy reasons

  • If it is needed that the option is not set, you will quickly spot the problem and can fix it by adding the appropriate option.

    • The other way round it is usually just forgotten

Hence adding both options by default is the definitive way to go. Even that this may be a breaking change.

Also noted:

If E.A uses some href which is not some absulute/relative path, this also should be automatic.
Again the argument is the non-brainer. Things always should be secure by default.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hilbix