I have some links to PDFs in my menu that I want to open in new tabs/window. I added target open in new tab to the options available in menu config. Those PDFs now open in new tabs but the link does not have rel="noopener noreferrer" to prevent clickjacking and tabnabbing.
It’s my understanding Wordpress is supposed to add that to the link whenever target="_blank" is present. That’s not happening. Any ideas?
Just saw this in my DuckDuckGo search (this is an AI result)
`WordPress no longer automatically adds rel=“noopener noreferrer” to target="_blank" links in menus as of recent core updates.
This change is part of a broader effort to align with modern browser behavior. Since most current browsers (including Chrome, Firefox, and Safari) now automatically apply noopener when target="_blank" is used, WordPress no longer adds the rel=“noopener” attribute by default for security reasons. This was confirmed in Ticket #53843, which was closed in WordPress 6.7, removing the automatic insertion of rel=“noopener” in core.
Key Points:
Why the change? Modern browsers (e.g., Chrome 88+, Firefox 79+) automatically prevent the new tab from accessing window.opener, making the rel=“noopener” attribute redundant.
Impact on menus: The rel=“noopener” attribute is no longer added to menu links with target="_blank" by default.
Security still maintained: The security benefit is now handled at the browser level, so no additional rel attribute is needed.
What about noreferrer? The noreferrer part was already removed in earlier updates (e.g., #49558), as it’s not required when noopener is implied.
If You Need to Re-Add It:
While not necessary, you can manually add rel=“noopener” or rel=“noopener noreferrer” to menu links via:
Custom CSS/JS (not recommended).
A code snippet plugin using the wp_targeted_link_rel filter.
A custom walker for menus.
`
Wordpress is assuming people are keeping their browsers updated. That’s a pretty big assumption.
Hello @brocknessmonster,
Understand that the theme does not have any control over WordPress or how the browser would render an element or its properties. You may need to use a custom script to force an older browser to open the PDF in a new tab. In my opinion, this is the only option since we also cannot control other people who aren’t using the updated browsers on their computers.
Cheers.
I found a way to add this back. Go to Settings > Menu. Go to Screen Options (top). Click on Link Relationship (XFN). Go back to the Menu I need to modify. Add noopener noreferrer to Link Relationship (XFN). Boom done.
This should help the site pass security audits. Thanks.
Hello @brocknessmonster.
That’s a correct and useful workaround for passing certain security‑audit checks.
Thanks
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.