Links to cross-origin destinations are unsafe
Lighthouse flags any links to cross-origin destinations that are unsafe:
How this audit fails
Lighthouse uses the following algorithm to flag links as rel="noopener"
candidates:
- Gather all
<a>nodes that contain the attributetarget="_blank"and do not contain the attributerel="noopener"orrel="noreferrer". - Filter out any same-host links.
Because Lighthouse filters out same-host links,
there's an edge case that you might want to be aware of if you're working on a large site.
If your page opens a link to another section of your site without using rel="noopener",
the performance implications of this audit still apply.
However, you won't see these links in your Lighthouse results.
Each Best Practices audit is weighted equally in the Lighthouse Best Practices Score. Learn more in The Best Practices score.
How links to cross-origin destinations slow down your page
When you open another page using target="_blank", the other page may
run on the same process as your page, unless Site Isolation is enabled.
If the other page is running a lot of JavaScript, your page's performance may
also suffer. See The Performance Benefits of rel=noopener.
How links to cross-origin destinations introduce security vulnerabilities
The other page can access your window object with the window.opener property.
This exposes an attack surface because the other page
can potentially redirect your page to a malicious URL.
Learn more in Share cross-origin resources safely.
Improve your site's performance and prevent security vulnerabilities
Improve your site's performance and prevent security vulnerabilities
by adding rel="noopener" or rel="noreferrer"
to each link identified in your Lighthouse report.
In general, when you use target="_blank", always
add rel="noopener" or rel="noreferrer":
<a href="https://examplepetstore.com" target="_blank" rel="noopener">
Example Pet Store
</a>rel="noopener"prevents the new page from being able to access thewindow.openerproperty and ensures it runs in a separate process.rel="noreferrer"attribute has the same effect, but also prevents theRefererheader from being sent to the new page. See Link type "noreferrer".
More information
Unsafe links to cross-origin destinations audit source
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.