JNofollowREL · TARGET · JOOMLA 4 & 5

Link attributes & basics · Knowledge

What do noopener and noreferrer protect against?

Unlike nofollow, these two are not about search engines at all: noopener and noreferrer are security and privacy values that change how the browser opens the link.

noopener cuts the technical backchannel a target=“_blank” page has to your tab; noreferrer additionally suppresses the Referer header – the target no longer learns which page sent the visitor.

The tab backdoor, the referrer trail – and today's browser reality

The classic attack is called reverse tabnabbing: a page opened via target=“_blank” historically received a JavaScript handle to the opening tab (window.opener) and could redirect it – say, to a login phishing copy of the page the visitor believed was still open. rel=“noopener” severs that handle. noreferrer goes one step further on the privacy axis: without it, the browser tells the target which URL the click came from; with it, that trail ends – and as a technical bonus, noreferrer implies noopener. Now the honest modern footnote: current browsers open target=“_blank” links with noopener behaviour by default, so the acute danger has faded on up-to-date clients. Why explicit values are still right: older browsers and embedded webviews exist, security policies audit markup rather than browser versions, and an explicit attribute costs nothing while documenting intent. That is why sensible defaults pair the trio – and why a link tool for Joomla (ours included, labelled recommendation) treats noopener as the non-negotiable companion whenever target=“_blank” is enforced. One planning note for the analytics-minded: noreferrer means your site disappears from the target's referrer reports – between friendly sites that is sometimes unwanted, which is exactly what whitelists are for.

Key facts

Related questions

All knowledge topics