This must be how those websites do it. You know, those websites from hell that flush your entire history with copies of the one page when you load them so your back button doesn't work.
And then the
rel="noopener" affair. Apparently, links with
target="_blank" give the opened page access to the opening page's window object. And this can be used to reload, redirect, or otherwise screw up the opening page.
I feel like I've lost all faith in the committees who make these decisions. Next I'm going to find out there's a JS API for editing the user's bookmarks, or deleting files on their local drive. You don't do security by giving strangers every power you can think of over your user's device, and building in an enigmatic web of restrictions on top of that.
Originally published at yujiri.xyz.