On Wed, Nov 21, 2018 at 11:55 PM Boris Zbarsky <bzbar...@mit.edu> wrote:
> On 11/21/18 11:50 PM, Ehsan Akhgari wrote: > > Would it be OK if the answer to that question be "use window.open()"? > > Can one do noreferrer with window.open()? > Yes, by passing 'noopener' in the features argument: https://html.spec.whatwg.org/multipage/window-object.html#apis-for-creating-and-navigating-browsing-contexts-by-name:disowned-its-opener . > Also, if your thing doing the navigation is a <form>, not <a>, then > window.open is pretty hard to use for that. Then again, <form > target="_blank"> is not that common... > That's true, this wouldn't cover the form submission use case. Which reminds me, it's impossible to block opener reference creation upon form submission right now as far as I can tell. This is actually a bug in the spec. < https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#form-submission-algorithm:the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name> calls into "rules for choosing a browsing context" passing only two arguments, omitting the third one (noopener) < https://html.spec.whatwg.org/multipage/browsers.html#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name >. I wonder if it makes sense to make a similar change here, to make <form target="_blank"> imply noopener behaviour and then if that proves to be Web compatible, propose to change the spec to pass false there? Cheers, Ehsan -- Ehsan _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform