Ruby

Ruby

Made by DeepSource

link_to has _blank, but no rel: 'noopener' RB-RL1033

Security
Major
Autofix

Calls to link_to that contain a target: '_blank' but no rel: 'noopener' can be a security risk, as the loaded page will have control over the previous page and could change its location for phishing purposes.

The option rel: 'noreferrer' also blocks this behavior and removes the http-referrer header.

Bad practice

link_to 'Click here', url, target: '_blank'

Recommended

link_to 'Click here', url, target: '_blank', rel: 'noopener'

Recommended

link_to 'Click here', url, target: '_blank', rel: 'noreferrer'