Include rel=noopener

[Galixte]

Hi @rmcgirr83,

i discovered this potiential issue: https://mathiasbynens.github.io/rel-noopener/.

Do you know?
whatwg/html#290
https://developers.google.com/web/tools/lighthouse/audits/noopener
https://html.spec.whatwg.org/multipage/links.html#link-type-noopener

On these pages, it proposed to use this kind of codes:

• https://www.developpez.com/actu/98441/Un-developpeur-web-recommande-l-utilisation-de-rel-egal-noopener-pour-empecher-les-attaques-par-hameconnage-lancees-en-se-servant-du-window-opener/:

var otherWindow = window.open(); 
otherWindow.opener = null; 
otherWindow.location = URL;

• https://www.blogdev.fr/tutoriels/securite/faille-securite-target-blank:

var nouvelOnglet = window.open('https://www.google.fr', '_blank');
nouvelOnglet.opener = undefined;

Browser compliance: https://caniuse.com/#search=noopener & https://caniuse.com/#search=noreferrer

The future solution: https://www.w3.org/TR/CSP/#directive-disown-opener?

What do you think?

[rmcgirr83]

First I don't read nor comprehend French. Second I think it's a non issue.

[Galixte]

Links in french aren’t very important, first links are. :)

And what about this? tinymce/tinymce#3177, especially this: tinymce/tinymce#3177 (comment). Since 4.7.4 version from WordPress the Tiny MCE 4.5 version was updated to integrate this security feature: https://www.tinymce.com/docs/changelog/#version450-november232016 (find noopener ).

[rmcgirr83]

The code doesn't use target="_blank"
https://github.com/rmcgirr83/phpBB-3.1-elonw/blob/master/styles/all/template/event/overall_footer_after.html#L10-L11