link with target=blank_ will cause some kind of phishing attack known as tabnabbing.
detail of this attacks are described below.
this is caused by window.opener of JavaScript API, and it will prevent by rel=noopener new API.
so I propose adding this attribute to link_to when it given target: "_blank".
link_to "External link", "http://www.rubyonrails.org/", target: "_blank"
<!-- before -->
<a href="http://www.rubyonrails.org/" target="_blank">External link</a>
<!-- after -->
<a href="http://www.rubyonrails.org/" target="_blank" rel="noopener">External link</a>
here is noopener spec.
https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener
currently implemented by chrome/opera.
noreferrer is considered altenative of noopener for older browser.
but this cause not to send referrer to server, so it’ll cause breakin change for some apps.
noopener is no side effect for apps, without using window.opener ofcourse.
I’m posting this for asking guys befor writing PR according to guideline.
thanks.
Jxck