Now I know why I often see rel="noopener"
inside <a>
tags. But it turns out rel="noopener"
is not enough! We really need this:
<a href="https://somesite.com/" target="_blank" rel="noopener noreferrer">
tl;dr — The page that is opened in a new tab or window can change the window.opener.location
property so that a user who goes back to your page will fall into phishing-scam hell!
I’ve seen this happen from those annoying cover-all pop-up adds on mobile, and I’ve learned the only way out is to close the original window or page. Now I know why.