- From: James M. Greene <james.m.greene@gmail.com>
- Date: Tue, 6 Jan 2015 14:43:26 -0600
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: WHATWG <whatwg@lists.whatwg.org>
>
> Yes, if we do it with window.open(), then it's possible to set opener to
>
> null. However, if you click on a link with target=_blank, window.opener
>
> is set as well.
>
>
> Not if you use rel="nofollow", per spec.
The spec doesn't mention that `rel="nofollow"` should null out
`window.opener`. That behavior is only mentioned for `rel="noreferrer"`.
http://www.w3.org/TR/html5/links.html#link-type-nofollow
http://www.w3.org/TR/html5/links.html#link-type-noreferrer
http://www.w3.org/TR/html5/browsers.html#noopener (only specifically
mentions "noreferrer")
https://html.spec.whatwg.org/#link-type-nofollow
https://html.spec.whatwg.org/#link-type-noreferrer
https://html.spec.whatwg.org/#noopener (only specifically mentions
"noreferrer")
Sincerely,
James Greene
On Tue, Jan 6, 2015 at 2:16 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 1/6/15 3:10 PM, Nicholas C. Zakas wrote:
>
>> Yes, if we do it with window.open(), then it's possible to set opener to
>> null. However, if you click on a link with target=_blank, window.opener
>> is set as well.
>>
>
> Not if you use rel="nofollow", per spec. Browser support there is still
> spotty but improving.
>
> Of course that affects more than just window.opener (e.g. affects whether
> a referrer is sent)....
>
> -Boris
>
Received on Tuesday, 6 January 2015 22:56:08 UTC