Create-react-app: Automatic "noopener noreferrer"?

Created on 11 Jan 2019  路  5Comments  路  Source: facebook/create-react-app

While it's a smart rule to have, one of our small annoyances has been the jsx-no-target-blank rule. I work on a large project that makes use of target="_blank" fairly often, and requiring rel="noopener noreferrer all over the place adds noise that I'm not sure is necessary for a dev to care about.

We created a custom component <A/> with the logic to add the attribute values whenever target="_blank". This works great, but it adds a little bit of overhead, and since eslint no longer sees it as an anchor tag, we don't get other possible warnings targeted at anchor tags.

So that's the background, here's the ask:

Would CRA be welcome to the idea of making this security fix automatic via babel plugin (found babel-plugin-jsx-target-blank) instead of warning the user by eslint?

I'm not sure of the implications of this (i.e. does anyone have valid use-cases for ignoring this rule? would it break their apps?), so I wanted to open it up for discussion before creating a PR.

stale
Source
picture jdcrensh
👍3

Most helpful comment

This is actually a pretty good idea.

I have only two questions/concerns:

  1. As you've stated, could there be cases where someone needs to have target blank and not "noopener noreferrer"?
  2. By removing this warning, we do lose the benefit of educating developers on why it's important. This may not be important.
picture mrmckeb on 13 Jan 2019
👍3

All 5 comments

This is actually a pretty good idea.

I have only two questions/concerns:

  1. As you've stated, could there be cases where someone needs to have target blank and not "noopener noreferrer"?
  2. By removing this warning, we do lose the benefit of educating developers on why it's important. This may not be important.
mrmckeb picture mrmckeb on 13 Jan 2019
👍3

Safari automatically adds noopener to links with target=_blank (https://trac.webkit.org/changeset/237144/webkit/) and other browsers are experimenting with it (https://github.com/whatwg/html/issues/4078). Maybe in 1 year, if you're building an app for ever-green browsers, these attributes will be unneccessary. Just something to consider.

jacobrask picture jacobrask on 30 Jan 2019

Well, target=_blank will imply noopener, but noreferrer will continue to be somewhat stronger (but can also be achieved using the referrerpolicy attribute).

annevk picture annevk on 31 Jan 2019

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

stale[bot] picture stale[bot] on 2 Mar 2019

This issue has been automatically closed because it has not had any recent activity. If you have a question or comment, please open a new issue.

stale[bot] picture stale[bot] on 7 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jnachtigall picture jnachtigall  路  3Comments
ap13p picture ap13p  路  3Comments
adrice727 picture adrice727  路  3Comments
DaveLindberg picture DaveLindberg  路  3Comments
AlexeyRyashencev picture AlexeyRyashencev  路  3Comments