Firefox security: rel=noopener for target=_blank

Mozilla is testing a new security feature in Firefox Nightly currently that adds rel=”noopener” automatically to links that use target=”_blank”.

Target=”_blank” instructs browsers to open the link target in a new tab in the web browser automatically; without the target attribute, links would open in the same tab unless users use built-in browser functionality, e.g. by holding down Ctrl or Shift, to open the link in a different way.

Rel=”noopener is supported by all major web browsers. The attribute makes sure that window-opener is null in modern browsers. Null means that it contains no value.

If rel=”noopener” is not specified, linked resources have full control over the originating window object even if the resources are on different origins. The destination link could manipulate the originating document, e.g. replace it with a lookalike for phishing, display advertisement on it or manipulate it in any other way imaginable.

You can check out a demo page on rel=”noopener” abuse here. It is harmless but highlights how destination sites may alter the originating site if the attribute is not used.

ghacks rel noopener

Rel=”noopener” protects the originating document. Webmasters can — and should — specify rel=”noopener” whenever they use target=”_blank”; we use the attribute on all external links here on this site already.

Apple implemented a change in Safari in October that applies rel=noopener automatically to any link that uses target=_blank.

The Nightly version of Firefox supports the security feature as well now. Mozilla wants to collect data to make sure that the change does not break anything major on the Internet.

The preference dom.targetBlankNoOpener.enable controls the functionality. It is only available in Firefox 65 and set to true by default (which means that rel=”_noopener” is added).


Firefox users may change the preference to turn off the feature. While it is not recommended because of the security implications, you may want to do so if you run into compatibility issues.

  1. Load about:config?filter=dom.targetBlankNoOpener.enable in the browser’s address bar.
  2. Confirm that you will be careful if the warning prompt is displayed.
  3. Double-click on the preference.

A value of true means that rel=”noopener” is added to links with target=”_blank”, a value of false that it is not.

Mozilla targets Firefox 65 for the Stable release. Things may get delayed depending on issues that may be reported or noticed. Firefox 65 will be released on January 29, 2019. (via Sören Hentzschel)

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader. The post Firefox security: rel=noopener for target=_blank appeared first on gHacks Technology News.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.