Adding noopener
tag to rel
attribute is a must as a security measure.
noreferrer
is somewhere in-between as a privacy measure. By default, the application can query the user agent’s DNT header and if DNT is checked it can add noreferrer
tag to every external link on the page. And ideally it should be implemented in the backend if possible since some privacy-aware users disable JavaScript by default by using browser extensions such as NoScript.
Currently, I am using the following hack for my own blog. But like I said, not all users might be using JS.
// Make links in the articles open in a new tab & add "noreferrer noopener"
var post_links = document.querySelectorAll("article a");
for (let i = 0, tags = ["noreferrer", "noopener"]; i < post_links.length; i++) {
if (post_links[i].href.startsWith("/")) {
continue;
}
post_links[i].target = "_blank";
for (const tag of tags) {
if (!post_links[i].rel.includes(tag)) {
post_links[i].rel += " " + tag;
}
}
}