Wt

Wt::WLink supports the very useful LinkTarget::NewWindow, which can be used to have a WAnchor element open a link in a new window. In HTML, such a link is rendered as follows:

<a id=".." href=".." target="_blank">..</a>

There is a problem with this: this gives the new window access to the opener through the Javascript window.opener object, potentially leaking CSRF tokens etc. See https://mathiasbynens.github.io/rel-noopener/ for details.

In newer browsers, the behavior has been changed to not allow access to the opener unless rel="opener" is set on the link explicitly, which is a safer default.

To behave consistently and securely across browsers, Wt should set rel="noopener" on all links that open in a new window.

Other improvements to consider:

• Wt could provide an option to set rel="opener" (maybe by introducing a new LinkTarget value like NewWindowWithOpener) but I'm not sure it makes sense for Wt apps.
• Wt could provide an option to set rel="noreferrer". It's currently possible to do this via setAttributeValue() on the WAnchor object, but it might make sense for this to be part of the WLink instead.