Default protection against target=_blank vulnerability

[kamsar]

There's a big security hole with using target=_blank links to other sites.

I cooked up a vanilla one-liner to automatically disable the vulnerability, which imo should go into the default js kit because most CMSes do not enable setting the rel correctly so generated content is unlikely to be protected.

What do you guys think?

Array.from(document.querySelectorAll('a[target=_blank]')).filter(function(e) { return !e.rel || e.rel.indexOf('noopener') < 0 }).forEach(function(e) { e.rel = (e.rel||'') + ' noopener noreferrer'; });

[krambuhl]

This looks like a smart addition. maybe surfacing this as security "component"?