(no)opener tests
no defense
no target
same-origin
same-site
cross-site
target="asd"
same-origin (only this one sends opener)
same-site
cross-site
target="_blank"
same-origin
same-site
cross-site
defense: noopener
same-origin
defense: noreferrer
same-origin
Materials
https://mathiasbynens.github.io/rel-noopener/
2021 update: Browsers now implicitly set rel=noopener for any target=_blank link, following a spec change. If the demo on this page no longer seems scary, congratulations — you’re using a modern browser!
https://github.com/whatwg/html/issues/4078
Windows opened via <a target=_blank> should not have an opener by default #4078
https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noopener
Note: Setting target="_blank" on <a> elements now implicitly provides the same rel behavior as setting rel="noopener" which does not set window.opener.
https://chromestatus.com/feature/6140064063029248