Calcite-components: Enhancement: CalciteLink - add rel=”noopener noreferrer” for security

This should only happen when there's a domain change? I remember @macandcheese implementing something like this in our old doc site links. We only applied to links going to external URLs.

I think this should be up to the user to add, currently it's not a defined prop but gets spread to the child link if added as an attribute.

noopener and noreferrer both only apply to cross domain links. Anything internal is sort of a moot point (ie. esri.com/page-1/links to esri.com/page-2/).

There are situations where you would probably want to keep the referrer. This would essentially allow other sites to see your referral traffic. If you put on noreferrer the site you link to will see the traffic reported as direct traffic. If you're trying to build a network to drive link authority, this would probably make that harder because your partners won't see the value you're providing them. This really only applies in SEO/Marketing scenarios.

noopener is the more important one, _especially_ if you're using target="_blank". The page you linked to gets access to _your page_ via window.opener. This means they can do a whole bunch of nefarious things.

Detecting _target="blank" and adding the rel attribute to the anchor would actually be a very nice security feature as it would prevent devs from leading their users to this kind of exploit. We could aways allow devs to override that behavior by setting rel themselves like <calcite-link rel="">.

noopener is the more important one, _especially_ if you're using target="_blank".

It sounds like this may now be the browser's default: https://www.chromestatus.com/feature/6140064063029248