# svelte/no-target-blank
disallow
target="_blank"
attribute withoutrel="noopener noreferrer"
# 📖 Rule Details
This rule disallows using target="_blank"
attribute without rel="noopener noreferrer"
to avoid a security vulnerability in legacy browsers where a page can trigger a navigation in the opener regardless of origin (see here for more details).
<script>
/* eslint svelte/no-target-blank: "error" */
</script>
<!-- ✓ GOOD -->
<a href="http://example.com" target="_blank" rel="noopener noreferrer">link</a>
<!-- ✗ BAD -->
<a href="http://example.com" Using target="_blank" without rel="noopener noreferrer" is a security risk. (svelte/no-target-blank)target="_blank">link</a>
# 🔧 Options
{
"svelte/no-target-blank": [
"error",
{
"allowReferrer": true,
"enforceDynamicLinks": "always"
}
]
}
allowReferrer
… Iftrue
, allows theReferrer
header to be sent by not requiringnoreferrer
to be present. defaultfalse
enforceDynamicLinks ("always" | "never")
… Ifalways
, enforces the rule if the href is a dynamic link. defaultalways
# { allowReferrer: false }
(default)
<script>
/* eslint svelte/no-target-blank: ['error', { allowReferrer: false }] */
</script>
<!-- ✓ GOOD -->
<a href="http://example.com" target="_blank" rel="noopener noreferrer">link</a>
<!-- ✗ BAD -->
<a href="http://example.com" Using target="_blank" without rel="noopener noreferrer" is a security risk. (svelte/no-target-blank)target="_blank" rel="noopener">link</a>
# { allowReferrer: true }
<script>
/* eslint svelte/no-target-blank: ['error', { allowReferrer: true }] */
</script>
<!-- ✓ GOOD -->
<a href="http://example.com" target="_blank" rel="noopener">link</a>
<!-- ✗ BAD -->
<a href="http://example.com" Using target="_blank" without rel="noopener noreferrer" is a security risk. (svelte/no-target-blank)target="_blank">link</a>
# { "enforceDynamicLinks": "always" }
(default)
<script>
/* eslint svelte/no-target-blank: ['error', { enforceDynamicLinks: 'always' }] */
</script>
<!-- ✓ GOOD -->
<a href={link} target="_blank" rel="noopener noreferrer">link</a>
<!-- ✗ BAD -->
<a href={link} Using target="_blank" without rel="noopener noreferrer" is a security risk. (svelte/no-target-blank)target="_blank">link</a>
# { "enforceDynamicLinks": "never" }
<script>
/* eslint svelte/no-target-blank: ['error', { enforceDynamicLinks: 'never' }] */
</script>
<!-- ✓ GOOD -->
<a href={link} target="_blank">link</a>
<!-- ✗ BAD -->
<a href="http://example.com" Using target="_blank" without rel="noopener noreferrer" is a security risk. (svelte/no-target-blank)target="_blank">link</a>
# 🚀 Version
This rule was introduced in eslint-plugin-svelte v0.0.4