I have some links to PDFs in my menu that I want to open in new tabs/window. I added target open in new tab to the options available in menu config. Those PDFs now open in new tabs but the link does not have rel="noopener noreferrer" to prevent clickjacking and tabnabbing.
It’s my understanding Wordpress is supposed to add that to the link whenever target="_blank" is present. That’s not happening. Any ideas?
Just saw this in my DuckDuckGo search (this is an AI result)
`WordPress no longer automatically adds rel=“noopener noreferrer” to target="_blank" links in menus as of recent core updates.
This change is part of a broader effort to align with modern browser behavior. Since most current browsers (including Chrome, Firefox, and Safari) now automatically apply noopener when target="_blank" is used, WordPress no longer adds the rel=“noopener” attribute by default for security reasons. This was confirmed in Ticket #53843, which was closed in WordPress 6.7, removing the automatic insertion of rel=“noopener” in core.
Key Points:
Why the change? Modern browsers (e.g., Chrome 88+, Firefox 79+) automatically prevent the new tab from accessing window.opener, making the rel=“noopener” attribute redundant.
Impact on menus: The rel=“noopener” attribute is no longer added to menu links with target="_blank" by default.
Security still maintained: The security benefit is now handled at the browser level, so no additional rel attribute is needed.
What about noreferrer? The noreferrer part was already removed in earlier updates (e.g., #49558), as it’s not required when noopener is implied.
If You Need to Re-Add It:
While not necessary, you can manually add rel=“noopener” or rel=“noopener noreferrer” to menu links via:
Custom CSS/JS (not recommended).
A code snippet plugin using the wp_targeted_link_rel filter.
A custom walker for menus.
`
Wordpress is assuming people are keeping their browsers updated. That’s a pretty big assumption.