We have a customer who serves hundreds of online documents to both the public and a very large domestic network of 1099 employees. About half are considered part of the "online intranet" and yes things open in new tabs.


The protected documents are initially guarded by a firewall system but are also very strictly controlled by numerous, specially crafted web server statements. These statements parse requests and regulate how files can be consumed from the document server. One requirement, among many, is the referral must come from and only from the authenticated server.

Many editors, including those in Wordpress, TinyMCE and JCEeditor* (circa February 2017) started to implement a nofollow noreferrer policy citing phishing risks associated with the target="_blank" vulnerability.

For those who are unaware of the [somewhat contrived] issue one can read here or here. Essentially the parent location can be reloaded when the target="_blank" command is used within a href hyperlink tag and for some, especially those using progressive web apps or in-line mobile viewers, the risk of phishing is increased because of the lack of title/URL bar.

Our project example makes this seem pretty silly. Our environment is completely controlled by us, on our own server. The interface is completely web based on desktop and mobile, has no special wannabe progressive app thing. Shouldn't a user be at least aware of the page they are visiting or does everything need a warning label and safe-space indicator? Books don't have autolocks on the pages once you turn them...right?

Also, the whole concept of an world wide Internet is to give human browsers the ability to find content through the use of the hyperlink that is provided to them by another human with similar interests.

It goes without saying a site that you send a user off to isn't controlled by you and should always be considered untrustworthy aka noopener! Noreferrer and nofollow are equally stupid; the former utterly destroyed by modern cookies and trackers while the latter is for bots to avoid scumbag seo click-baiting. If you have to use nofollow in your code you are doing something wrong and disserving your constituents and the Internet as a whole.

That aside, if your server is shared it makes sense to worry about some other chap bringing in a nasty SQL file injection redirect to destroy all your links but at that point does it really make sense to call the fire department after the building has completely burnt to the ground? The vunerability isn't the target="_blank" declaration but the security policy that wasn't developed in the first place.

Spend the resources to ensure that doesn't happen. Use open-source libre/freedom technology first and hire a competent IT company to use it properly...like Grip Fast Information Services and Technology! Let's get started.

*Within JCE's Global Configuration settings simply add into Custom Configuration Variables: allow_unsafe_link_target:true.

link blank fix

About the Writer
Chris Lessley
Author: Chris Lessley
A server admin, dev ops warrior and website designer since 2002, Chris is a lover of all things Linux and open-source! Each blog topic has been tested by fire in the real world and shared with the hope to help others. Need more help? Hire me! Chris' other interests include fine art and the humanities in the classical tradition and can be found writing for our friends over at gripfastart.works. If you like this content, kindly consider donating to keep this website free to all, without ads.

Comments powered by CComment

Member of The Internet Defense LeagueOpen Source Initiative