What is the rel='noopener' attribute in HTML5 links?
Use rel="noopener" to solve the security and performance problems caused by target="_blank". 1. It prevents new pages from manipulating the original page through window.opener to prevent redirection or phishing attacks; 2. Improve performance, make the new page run independently, and prevents the shared rendering process from slowing down the original page; 3. rel="noreferrer" includes the noopener function and additionally prevents the Referer header from sending, enhancing privacy, but affecting source statistics; 4. All modern browsers support noopener. The best practice is to always add rel="noopener" as long as you use target="_blank". If you need privacy protection, use rel="noreferrer".
The rel="noopener" attribute is used in HTML5 <a></a> (anchor) tags when opening a link in a new tab or window, typically with target="_blank" . It is a security and performance feature that prevents the new page from gaining control over the original (opener) window.
Here's how it works and why it matters:
What Problem Does rel="noopener" Solve?
When you use target="_blank" to open a link in a new tab, the new page runs in the same process as the original page and has access to the window.opener object. This means the new page can, in theory, manipulate the original page using JavaScript — for example, changing window.opener.location to redirect it or even perform phishing attacks.
Even if the linked site is trustworthy, using rel="noopener" is a safe practice because it eliminates this risk.
How to Use It
<a href="https://example.com" target="_blank" rel="noopener">Visit Example</a>
With rel="noopener" , the new tab cannot access the window.opener property, so it can't navigate or read anything from the original page.
Performance Benefits
In addition to security, rel="noopener" can improve performance. Without it, both pages share the same rendering process in some browsers. Using noopener ensures the new page runs independently, so the original page isn't slowed down by the new tab's JavaScript.
What About rel="noreferrer" ?
rel="noreferrer" is similar but stronger:
- It implies
noopener(so opener access is blocked). - It also prevents the
Refererheader from being sent to the new page.
<a href="https://example.com" target="_blank" rel="noreferrer">Visit Example</a>
Use noreferrer if you also want to hide the source of the traffic, but note that the linked site won't know where the visit came from (affects analytics).
Browser Support and Best Practice
- All modern browsers support
rel="noopener". - Even if you don't control the linked site, always use
rel="noopener"withtarget="_blank".
So, the recommended pattern is:
<a href="https://external-site.com" target="_blank" rel="noopener"> External Link </a>
Basically, just think:
- Use
target="_blank"? → Always pair it withrel="noopener". - Want extra privacy? → Use
rel="noreferrer"instead (including noopener).
It's a small change that improves both security and performance.
The above is the detailed content of What is the rel='noopener' attribute in HTML5 links?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undresser.AI Undress
AI-powered app for creating realistic nude photos
ArtGPT
AI image generator for creative art from text prompts.
Stock Market GPT
AI powered investment research for smarter decisions
Hot Article
Popular tool
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
20516
7
13630
4
How to detect if a browser supports HTML5 features? (Modernizr)
Mar 04, 2026 am 03:11 AM
The main reason for the failure of Modernizr detection is that the script is not successfully loaded or executed at an improper time. It is necessary to ensure that it is loaded synchronously, avoids CSP interception, and is executed before DOM construction. As an alternative, it is preferable to use CSS@supports and native API to detect empty scripts.
How to use the template tag for dynamic content in HTML5? (Cloning nodes)
Mar 05, 2026 am 02:15 AM
The template tag itself does not render and must be manually cloned and inserted. Template is a lazy container of HTML5. The browser will parse it but completely skip rendering and script execution. If you write Hello directly, nothing will appear on the page - this is not a bug, it is the design. To make it "alive", you must use JavaScript to extract the content, clone it, and then hang it on the DOM. A common mistake is to directly obtain document.querySelector('template').content and then try to appendChild. The result is an error or no response: because the content is a Docu
How to make a phone number clickable in HTML5? (Tel link)
Mar 05, 2026 am 02:29 AM
The correct way to write it is href="tel: 8613812345678". All non-numeric characters need to be cleared (only and numbers are retained). Mainland China numbers must be prefixed with 86. Extension numbers use;ext= format, and target="_blank" is disabled.
How to disable autocomplete on input fields in HTML5? (Form attributes)
Mar 05, 2026 am 02:31 AM
Autocomplete="off" sometimes does not take effect because modern browsers (such as Chrome ≥ 80) actively ignore it to ensure the password manager experience; to be truly effective, it needs to be combined with strategies such as semantic values (such as new-password), avoiding sensitive names, and dynamically generated attributes.
How to create a progress bar for file uploads in HTML5? (Progress tag)
Mar 06, 2026 am 02:22 AM
Why can't the tag directly display the upload progress? It is a read-only visual component. It does not listen to network requests and is not automatically bound to the upload process of XMLHttpRequest or fetch. If you put it in and don't update the value manually, it will always stop at 0%. What really drives it is the event monitoring in the upload logic you write yourself. A common mistake is to only monitor onload (upload completed) but miss upload.onprogress. XMLHttpRequest (not fetch) must be used to obtain real-time upload progress, because fetch does not expose the max attribute of the event in the upload phase and must be set to the file size (file.size
How to create a tooltip using only HTML5? (Title attribute)
Mar 06, 2026 am 12:23 AM
The title attribute is not a tooltip component, but an accessibility prompt mechanism implemented by the browser. The behavior, style, and interaction are uncontrollable and are only suitable for simple scenarios such as pure information supplement.
How to center an image vertically in HTML5? (Layout techniques)
Mar 07, 2026 am 02:05 AM
Flexbox is the most stable for centered images. The key is to set display:flex and align-items:center in the parent container and specify the height; using place-items:center for Grid is more concise; absolute positioning requires top:50% with transform:translateY(-50%); vertical-align is invalid for block-level centering.
How to insert a copyright symbol in HTML5? (Character entities)
Mar 05, 2026 am 02:57 AM
© and © have the same effect. The former is a named entity and is easy to read, while the latter is a decimal digital entity and has more stable compatibility. It is necessary to avoid the problems of CSS hiding, JS unescapement and missing semantics.
