Weblink Interactions

Publish Date:

When you link to another website you may think there is not much to consider. It is a web address reference that the user can open.

Referrer Policy

The HTTP Referer header includes information about where the request originated from. When website A links to website B, and the user clicks the link on website A, website B may see information about the source page address.

The Referrer Policy defines what the HTTP request will include in the ‘Referer’ header when opening the weblink target website.

The default is strict-origin-when-cross-origin:

  • same-origin requests: origin, path, and query string
  • cross-origin requests with same protocol security level (HTTPS->HTTPS): origin
  • cross-origin requests with changed protocol security level (HTTPS->HTTP): nothing

Cross-Origin Opener Policy

When website A links to website B, and the user clicks the link on website A, website B may reference and modify the content of website A (in the open browsing context; not the hoster source website) via window.opener.

This is especially important when opening websites in popups, when specifying a link target.

The Cross-Origin Opener Policy defines the conditions of access to the opener context.

The default is unsafe-none.

A safer value is same-origin where only targets on the same origin have access to the opener.

On individual links (<a>) the rel attribute value noopener or alternatively a _blank target (opens in a new tab/window) can be used to deny access:

<a href="https://example.org/external" rel="noopener">example</a>
<a href="https://example.org/external" target="_blank">example</a>
<a href="https://example.org/external" rel="noopener" target="popup">example</a>

When linking to a website or webpage for reference, without endorsement (for example to give a bad example, or provide a source or reference to something you do not like), the rel value nofollow can be used:

<a href="https://example.org/annoying-or-malicious" rel="nofollow">example</a>

Other rel Values

The rel attribute has many more possible values of more or less significance. But those above are the most impactful regarding security, privacy, and unintended effects.