
“target=_blank” is not only bad practice, but could be harmful - FabianBeiner
https://mathiasbynens.github.io/rel-noopener/
======
lazyjones
Can someone please explain why window.opener is set and modifiable when a user
clicks on such a link? It seems inappropriate to me and I really don't see a
compelling case for not changing this behavior and adding yet more cruft to
HTML (ref="noopener") that'll slowly become the "secure default". This is
particularly irritating: [https://lists.w3.org/Archives/Public/public-whatwg-
archive/2...](https://lists.w3.org/Archives/Public/public-whatwg-
archive/2015Jan/0008.html)

~~~
tonyarkles
Likely the same reason a lot of things are iffy on the web: backwards
compatibility. You've got large organizations that built line-of-business apps
in the early 2000s; they've since laid off the entire development staff but
the application continues to run.

Now a new version of Chrome comes out and the app doesn't work because the
behaviour of window.opener has changed. What to do? Well, you can version lock
to the newest version of Chrome that doesn't exhibit this behaviour (probably
via an Active Directory Group Policy), or you can require users to use IE or
Firefox instead of Chrome. Re-build the web app instead? That's pretty
expensive and isn't on the roadmap until Q4 2017, but due to budgetary
pressure may not happen until Q3 2018.

~~~
lazyjones
> _Likely the same reason a lot of things are iffy on the web: backwards
> compatibility. You 've got large organizations_

These large organizations, affected by purely hypothetical problems (nobody
bothered to check for any real issues, or release a developer version of a
fix), are a clear minority compared to the entities affected by the security
problem that needs fixing. If that's how all the cruft gets added to HTML by a
few people from 2-3 browser vendors, it's no wonder that it looks like it does
and increasingly frustrates web developers to the point of resignation.

~~~
tonyarkles
For the record, I'm one of the web developers that resigned. Not from a large
company, but from a small consulting company. I'm back in embedded land, and
I'm way happier for it. Sure, the vendor-provided code is often shit, but it
can be rewritten if necessary.

