# svelte/no-target-blank

disallow target="_blank" attribute without rel="noopener noreferrer"

# 📖 Rule Details

This rule disallows using target="_blank" attribute without rel="noopener noreferrer" to avoid a security vulnerability in legacy browsers where a page can trigger a navigation in the opener regardless of origin (see here for more details).

<script>
  /* eslint svelte/no-target-blank: "error" */
</script>

<!-- ✓ GOOD -->
<a href="http://example.com" target="_blank" rel="noopener noreferrer">link</a>

<!-- ✗ BAD -->
<a href="http://example.com" 
Using target="_blank" without rel="noopener noreferrer" is a security risk. (svelte/no-target-blank)
target="_blank"
>link</a>

# 🔧 Options

{
  "svelte/no-target-blank": [
    "error",
    {
      "allowReferrer": true,
      "enforceDynamicLinks": "always"
    }
  ]
}
  • allowReferrer … If true, allows the Referrer header to be sent by not requiring noreferrer to be present. default false
  • enforceDynamicLinks ("always" | "never") … If always, enforces the rule if the href is a dynamic link. default always

# { allowReferrer: false } (default)

<script>
  /* eslint svelte/no-target-blank: ['error', { allowReferrer: false }] */
</script>

<!-- ✓ GOOD -->
<a href="http://example.com" target="_blank" rel="noopener noreferrer">link</a>

<!-- ✗ BAD -->
<a href="http://example.com" 
Using target="_blank" without rel="noopener noreferrer" is a security risk. (svelte/no-target-blank)
target="_blank"
rel="noopener">link</a>

# { allowReferrer: true }

<script>
  /* eslint svelte/no-target-blank: ['error', { allowReferrer: true }] */
</script>

<!-- ✓ GOOD -->
<a href="http://example.com" target="_blank" rel="noopener">link</a>

<!-- ✗ BAD -->
<a href="http://example.com" 
Using target="_blank" without rel="noopener noreferrer" is a security risk. (svelte/no-target-blank)
target="_blank"
>link</a>
<script>
  /* eslint svelte/no-target-blank: ['error', { enforceDynamicLinks: 'always' }] */
</script>

<!-- ✓ GOOD -->
<a href={link} target="_blank" rel="noopener noreferrer">link</a>

<!-- ✗ BAD -->
<a href={link} 
Using target="_blank" without rel="noopener noreferrer" is a security risk. (svelte/no-target-blank)
target="_blank"
>link</a>
<script>
  /* eslint svelte/no-target-blank: ['error', { enforceDynamicLinks: 'never' }] */
</script>

<!-- ✓ GOOD -->
<a href={link} target="_blank">link</a>

<!-- ✗ BAD -->
<a href="http://example.com" 
Using target="_blank" without rel="noopener noreferrer" is a security risk. (svelte/no-target-blank)
target="_blank"
>link</a>

# 🚀 Version

This rule was introduced in eslint-plugin-svelte v0.0.4

# 🔍 Implementation