Linking to another page using target=”_blank” can hinder performance and pose a security risk

I recently learned that using target="_blank" to have links open in a new tab causes the new page to run on the same process as your page. If the new link is executing large chunks of JavaScript, your page’s performance may also suffer.  But in addition to a potential performance hit, using  target="_blank" is also a security vulnerability.  Using rel=noopener is recommended.  This will prevent the newly opened page from accessing your window object via window.opener.

<a href="http://mylink.com" target="_blank" rel="noopener">My Link</a>

WordPress began implementing this when adding a hyperlink to text and selecting the “Open link in new window/tab” checkbox.  It does not appear that rel=noopener is supported by Edge at this time.

Here is some more info on rel=noopener:

developers.google.com/web/tools/lighthouse/audits/noopener

Here are a few examples demonstrating the security vulnerability and how the page that is linked to can manipulate the original page.

mathiasbynens.github.io/rel-noopener

jakearchibald.com/2016/performance-benefits-of-rel-noopener

Advertisements