link with target=blank_ will cause some kind of phishing attack known as *tabnabbing*. detail of this attacks are described below.
- http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ - https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/ this is caused by `window.opener` of JavaScript API, and it will prevent by `rel=noopener` new API. so I propose adding this attribute to `link_to` when it given `target: "_blank"`. ``` link_to "External link", "http://www.rubyonrails.org/";, target: "_blank" ``` ``` <!-- before --> <a href="http://www.rubyonrails.org/"; target="_blank">External link</a> <!-- after --> <a href="http://www.rubyonrails.org/"; target="_blank" rel="noopener">External link</a> ``` here is `noopener` spec. https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener currently implemented by chrome/opera. http://caniuse.com/#search=noopener `noreferrer` is considered altenative of `noopener` for older browser. but this cause not to send referrer to server, so it'll cause breakin change for some apps. `noopener` is no side effect for apps, without using `window.opener` ofcourse. I'm posting this for asking guys befor writing PR according to guideline. thanks. Jxck -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at https://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
