Jinja check: Missing noreferrer

Pages opened with target="_blank" allow the new page to access the original's window.opener. This can have security, privacy, and performance implications. Include rel="noopener noreferrer" to prevent this.

Description

Google Lighthouse recommends including noopener and noreferrer when using target="_blank". In short, a page opened with target="_blank" can access the window object of the origin page. It can also manipulate the window.opener property, which could redirect the origin page to a malicious URL. This is called reverse tabnapping.

In general, when using target="_blank", always include rel="noopener noreferrer.

This check will detect the following cases.

<!-- Missing rel= -->
<html>
  <body>
    <a href="https://example.com" target="_blank">Test</a>
  </body>
</html>

<!-- Missing "noreferrer" -->
<html>
  <body>
    <a href="https://example.com" target="_blank" rel="noopener">Test</a>
  </body>
</html>

The check will consider the following case acceptable.

<!-- No target="_blank" -->
<html>
  <body>
    <a href="https://example.com">Test</a>
  </body>
</html>

<!-- rel="noopener noreferrer" exists -->
<html>
  <body>
    <a href="https://example.com" target="_blank" rel="noopener noreferrer"
      >Test</a
    >
  </body>
</html>

References