On 12/1/16 1:41 AM, Chris Holland wrote:
I think the devil would be in implementation detail. Slapping a
"rel/noopener" attribute on a specific link is very deterministic and
straightforward from a logic standpoint ---- Whichever window was created
from this link can't control the parent.


It's a much stronger guarantee. The guarantee is that the parent and the created window have no way to see each other at all. Neither one can read any state from the other, or even know the other one exists.

In particular, the idea is that rel="noopener" allows the new window to be opened in a separate process, or even a separate browser if desired. The only difference between it and the user copying the link and then pasting it into some other tab or other program is that a referrer header is sent.

Note that this guarantee makes for fairly simple implementation.

Having a header that opts in all links targeted at anything other than _parent, _self, and _top have the noopener behavior would be doable. Having a header that opts in some links based on the origin of the link href or something would probably be doable. Having a header that tries to add some sort of new mode wherein the two windows _can_ see each other but can't do some things that they can normally do would be a snake pit of complexity that is best avoided.

-Boris

Reply via email to