Self-synchronization of blog
Recently combing team when eslint, found such a configuration in airbnb
'react/jsx-no-target-blank': 2Introduce official document of something like this
如果你需要用 a 标签打开一个标签页时,你会使用 target='_blank' 这个属性,此时你需要添加 rel='noreferrer noopener'
That people are confused, maybe attribute is doing it, google it just knows that it is in order to solve security problems.
When you use target='_blank'when you open a new tab, the new page windowhas a property on an object opener, it points to the previous page of windowthe object, therefore, after a page before it gained control of a page, so terrible! !
Such is the case of a label <a href='/index'>打开连接</a>, open input in the console window.opener.alert(1)to see?
Even he can take effect in the case of cross-domain, such as opening <a href='https://github.com/ZhangFe/Blog'>链接<a/>later, you can use the window.opener.location.replaceurl before changing a page.
So, in order to avoid this, we need our protagonist debut!
For example, you now become such a link <a href='/index' rel=noopener>链接<a/> , you will find that after re-open window.openerhas been set to null, if some older browser, you can use rel=noreferrerit not only disabled window.openerafter a page can not get to referrer, and then not be use js to open a new page after the openerset nullto complete this function
var otherWindow = window.open();
otherWindow.opener = null;
otherWindow.location = url;Reference Document
HTTPS: //html.spec.whatwg.org / ...
HTTPS: //mathiasbynens.github ....