WordPress.org
Get WordPress

Make WordPress Core

Opened 6 weeks ago

Closed 5 weeks ago

#63096 closed defect (bug) (fixed)

Remove "noopener" from wp_list_bookmarks() output

Reported by: audrasjb's profile audrasjb Owned by: audrasjb's profile audrasjb
Milestone: 6.8 Priority: normal
Severity: normal Version: 5.9
Component: General Keywords: has-patch has-screenshots
Focuses: Cc:

Description

Introduced in [52061].

As stated in [59120], we should remove noopener relation value from wp_list_bookmarks().

Since this was introduced, supported browsers have changed their security policies and no longer allow the opened link to have JavaScript access to the previous tab.

To easily reproduce the issue:

  • Install the Link Manager legacy plugin and a theme that supports Widgets, like Twenty Twenty
  • Add some links using target="blank setting on them
  • Add a Link widget to a widget area
  • Confirm that the link has a noopener attribute

Attachments (4)

before-patch.png (272.6 KB) - added by marineevain 6 weeks ago.
target blank before patch
after-patch.png (264.4 KB) - added by marineevain 6 weeks ago.
target blank after patch
before-patch.2.png (345.8 KB) - added by jeremy80 6 weeks ago.
after-patch.2.png (353.3 KB) - added by jeremy80 6 weeks ago.

Download all attachments as: .zip

Change History (11)

This ticket was mentioned in PR #8505 on WordPress/wordpress-develop by @rvouill.
6 weeks ago #1

  • Keywords has-patch added

https://core.trac.wordpress.org/ticket/63096

@marineevain
6 weeks ago

target blank before patch

@marineevain
6 weeks ago

target blank after patch

#2 @marineevain
6 weeks ago

Hi everyone,

I just tested the patch and it appears to work fine. I compared between current version on my "sandbox" WP website (Twenty-Nineteen theme) + Link Manager plugin. I did the same on the Playground test link (with Twenty-Twenty them + same plugin) and you can find attached the screenshots showing the difference.
Thanks for the patch!

#3 @audrasjb
6 weeks ago

  • Keywords has-screenshots added

@jeremy80
6 weeks ago

@jeremy80
6 weeks ago

#4 @jeremy80
6 weeks ago

Hi,

I just tested, before the patch (with Twenty Twenty on my local) and after the patch (Twenty Seventeen on Playground).

"noopener" before the patch on the target="_blank" link and no more "noopener" after the patch on the target="_blank" link. So it's all good :)

#5 @audrasjb
5 weeks ago

  • Owner set to audrasjb
  • Status changed from new to accepted

Moving for 6.8 consideration

#6 @audrasjb
5 weeks ago

  • Milestone changed from Awaiting Review to 6.8

#7 @audrasjb
5 weeks ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 60058:

General: Remove noopener from links opening in a new tab in wp_list_bookmarks().

This changeset removes the automatic addition of rel="noopener" from links targeting a new tab via target="_blank" in the wp_list_bookmarks() function. Since this was introduced, supported browsers have changed their security policies and no longer allow the opened link to have JavaScript access to the previous tab. This also removes the unit test cases previously located in wpListBookmarks.php as they were dedicated to test the presence of rel="noopener".

Follow-up to [52061], [59120].

Props audrasjb, rvouill, marineevain, jeremy80.
Fixes #63096.

Note: See TracTickets for help on using tickets.