WordPress.org
Get WordPress

Make WordPress Core

Opened 11 months ago

Closed 11 months ago

#63096 closed defect (bug) (fixed)

Remove "noopener" from wp_list_bookmarks() output

Reported by: audrasjb's profile audrasjb Owned by: audrasjb's profile audrasjb
Milestone: 6.8 Priority: normal
Severity: normal Version: 5.9
Component: General Keywords: has-patch has-screenshots
Focuses: Cc:

Description

Introduced in [52061].

As stated in [59120], we should remove noopener relation value from wp_list_bookmarks().

Since this was introduced, supported browsers have changed their security policies and no longer allow the opened link to have JavaScript access to the previous tab.

To easily reproduce the issue:

  • Install the Link Manager legacy plugin and a theme that supports Widgets, like Twenty Twenty
  • Add some links using target="blank setting on them
  • Add a Link widget to a widget area
  • Confirm that the link has a noopener attribute

Attachments (4)

before-patch.png (272.6 KB) - added by marineevain 11 months ago.
target blank before patch
after-patch.png (264.4 KB) - added by marineevain 11 months ago.
target blank after patch
before-patch.2.png (345.8 KB) - added by jeremy80 11 months ago.
after-patch.2.png (353.3 KB) - added by jeremy80 11 months ago.

Download all attachments as: .zip

Change History (11)

This ticket was mentioned in PR #8505 on WordPress/wordpress-develop by @rvouill.
11 months ago #1

  • Keywords has-patch added

https://core.trac.wordpress.org/ticket/63096

@marineevain
11 months ago

target blank before patch

@marineevain
11 months ago

target blank after patch

#2 @marineevain
11 months ago

Hi everyone,

I just tested the patch and it appears to work fine. I compared between current version on my "sandbox" WP website (Twenty-Nineteen theme) + Link Manager plugin. I did the same on the Playground test link (with Twenty-Twenty them + same plugin) and you can find attached the screenshots showing the difference.
Thanks for the patch!

#3 @audrasjb
11 months ago

  • Keywords has-screenshots added

@jeremy80
11 months ago

@jeremy80
11 months ago

#4 @jeremy80
11 months ago

Hi,

I just tested, before the patch (with Twenty Twenty on my local) and after the patch (Twenty Seventeen on Playground).

"noopener" before the patch on the target="_blank" link and no more "noopener" after the patch on the target="_blank" link. So it's all good :)

#5 @audrasjb
11 months ago

  • Owner set to audrasjb
  • Status changed from new to accepted

Moving for 6.8 consideration

#6 @audrasjb
11 months ago

  • Milestone changed from Awaiting Review to 6.8

#7 @audrasjb
11 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 60058:

General: Remove noopener from links opening in a new tab in wp_list_bookmarks().

This changeset removes the automatic addition of rel="noopener" from links targeting a new tab via target="_blank" in the wp_list_bookmarks() function. Since this was introduced, supported browsers have changed their security policies and no longer allow the opened link to have JavaScript access to the previous tab. This also removes the unit test cases previously located in wpListBookmarks.php as they were dedicated to test the presence of rel="noopener".

Follow-up to [52061], [59120].

Props audrasjb, rvouill, marineevain, jeremy80.
Fixes #63096.

Note: See TracTickets for help on using tickets.