Require noopener in links and window.open()

[johnwilander]

We should require links to have rel="noopener" and window.open() be called with the noopener window feature to make sure that there is no covert, cross-site communication channel back to the opener over which tracking information can be sent.

Ping @csharrison and @johnivdel for consideration in Attribution Reporting API.

[SOV37]

Dawn

[annevk]

It might be simpler to default to noopener if the attribution attributes are present? Similar to target=_blank, except you would not allow it to be overridden.

[johnwilander]

It might be simpler to default to noopener if the attribution attributes are present? Similar to target=_blank, except you would not allow it to be overridden.

I had the same thought some time after filing this. Requiring the developer to opt in to noopener makes it explicit and known to them instead of implicit and a side effect. I could go either way.

[AramZS]

I agree, defaulting to noopener mode makes the most sense to me if that's the way the system is intended to work. Long term it seems to me that if it is always active, which I think is what we are discussing here(?), then having to add it as a property to every use seems to be messy?

[csharrison]

Sorry I missed this originally. This seems reasonable to me, and I can also bring it up in the attribution reporting api WICG meeting next week.

[npdoty]

in either approach, how will/should the developer learn why something is broken? does one way make it easier to put a debug warning into the console?

[csharrison]

in either approach, how will/should the developer learn why something is broken? does one way make it easier to put a debug warning into the console?

I think either case should be easy to signal to developers with a console error.