target=_blank on anchors now implies rel=noopener

Published:

Categories: DOM, HTML, Privacy & Security

Releases: Firefox 79

Description

Starting with Firefox 79, <a> and <area> elements having target="_blank" will imply rel="noopener" if no rel attribute is set on the element, according to the current HTML spec. The noopener link type makes window.opener null in the new window, preventing the DOM property from being abused by untrusted third-party sites. If needed, explicitly setting rel="opener" reverses the course.

Apple made the change first with Safari 12.1 shipped in March 2019. In Firefox, the new behaviour has been enabled by default in the Nightly and early Beta channels since Firefox 65. Google Chrome may also follow.

It’s a good idea to take this opportunity to check your code for window.opener and understand what’s actually the opener.

How can I test this?

This change can be tested with the compatibilty checker in our Firefox Developer Tools extension. Get it today!

References