Security and performance issues with target="_blank" on links

Setting the value of a link’s target attribute to _blank will make the link open in a new tab or window. Ideally, you shouldn’t be doing this (and here’s why). But if you are, there are a couple of security and performance issues to be aware of.

Security

If a user clicks on one of your links which has target="_blank" set, the new page will have access to your page’s window object via the window.opener property. Does that sound like a bad thing? Because it is. The other page could redirect yours to a malicious URL.

Performance

The other issue with using target="_blank" is that the new page will be opened in the same process as yours. If the new page uses a shit ton of JavaScript, then your page’s performance is going to suffer.

What to do about it

Like I said: ideally, you shouldn’t be using target="_blank" in most cases. But if you must, you should also use the rel attribute and set its value to either noopener or noreferrer.

The noopener value prevents the new page from accessing your page’s window object via the window.opener property (it will just be null). It also ensures the new page runs in its own, separate process.

The noreferrer value does the same thing, and also prevents the browser from sending the Referer HTTP header.


For more on this topic, I recommend the following articles: