template-link-rel-noopener.md

ember/template-link-rel-noopener

💼 This rule is enabled in the 📋 template-lint-migration config.

🔧 This rule is automatically fixable by the --fix CLI option.

When you want to link to an external page from your app, it is very common to use <a href="url" target="_blank"></a> to make the browser open this link in a new tab.

However, this practice has performance problems and also opens a door to some security attacks because the opened page can redirect the opener app to a malicious clone to perform phishing on your users.

Adding rel="noopener noreferrer" closes that door and avoids javascript in the opened tab to block the main thread in the opener. Also note that Firefox versions prior 52 do not implement noopener, so rel="noreferrer" should be used instead (see Firefox issue).

Examples

This rule forbids the following:

<a href='https://i.seem.secure.com' target='_blank'>I'm a bait</a>

This rule allows the following:

<a href='https://i.seem.secure.com' target='_blank' rel='noopener noreferrer'>I'm a bait</a>

References

• Link type "noreferrer" spec