This probably is a breaking change.
When using E.A.target() this should set the .attr({rel:'noreferrer noopener'}) by default.
There can be some option which reverts this, such that the opened target can refer to opener/referrer.
This is good for following reasons:
-
As a nobrainer, it should always be as secure as possible.
- When
A is used with a .target this usually means another window is opened, not the same window
- When this new window is on a different origin, it should not be able to access
window.opener nor the referrer by default for privacy reasons
-
If it is needed that the option is not set, you will quickly spot the problem and can fix it by adding the appropriate option.
- The other way round it is usually just forgotten
Hence adding both options by default is the definitive way to go. Even that this may be a breaking change.
Also noted:
If E.A uses some href which is not some absulute/relative path, this also should be automatic.
Again the argument is the non-brainer. Things always should be secure by default.
This probably is a breaking change.
When using
E.A.target()this should set the.attr({rel:'noreferrer noopener'})by default.There can be some option which reverts this, such that the opened target can refer to opener/referrer.
This is good for following reasons:
As a nobrainer, it should always be as secure as possible.
Ais used with a.targetthis usually means another window is opened, not the same windowwindow.openernor the referrer by default for privacy reasonsIf it is needed that the option is not set, you will quickly spot the problem and can fix it by adding the appropriate option.
Hence adding both options by default is the definitive way to go. Even that this may be a breaking change.
Also noted:
If
E.Auses some href which is not some absulute/relative path, this also should be automatic.Again the argument is the non-brainer. Things always should be secure by default.