Unsafe Cross-Origin Links Test
What is it?
External links opened in a new tab with target="_blank" can, without the right safeguards, give the destination page JavaScript access to the original window, a long-standing browser quirk that modern browsers now mitigate by default. Adding rel="noopener" or rel="noreferrer" makes the protection explicit, ensures consistent behavior on older browsers, and enforces process isolation between the tabs. This test checks whether the external new-tab links on your page include the recommended rel attributes.
Why cross-origin link safety still matters
Without rel="noopener", the destination page can access the original window via JavaScript and potentially redirect it to a malicious URL while the user is reading the new tab. Modern browsers default to noopener behavior to prevent this, but explicit attributes still matter on legacy browsers and as documentation of intent. They also enforce process isolation: with noopener, the destination page runs in a separate browser process, so heavy JavaScript on the linked page cannot degrade the performance of the original tab.
Adding the attributes explicitly is also good code hygiene. They communicate the intent clearly to anyone reading the markup later, they survive copying or migrating content between sites, and they enable static-analysis lint rules to enforce the convention across a codebase. The cost is two extra characters per external link and the benefit is consistent behavior across browser versions.
Common situations this test catches
- Hand-written external links missing the attribute, especially in older content.
- Old content from before the editor added it automatically, where a one-time bulk update covers it.
- Markdown-rendered content where the renderer needs configuration to add the attributes by default.
- Embedded HTML from third-party sources that does not follow modern conventions.
This test reports external links that lack the recommended rel attributes. The fix guide below covers adding them in raw HTML, configuring CMS editors and Markdown renderers to add them by default, and lint rules that enforce the convention in framework code.
Pass rate:
-
Top 100 websites: 45%This value indicates the percent of top 100 most visited websites in the US that pass this test (in the past 12 months).
-
All websites: 47%This value indicates the percent of all websites analyzed in SEO Site Checkup (500,000+) in the past 12 months.
| 2021 | 59% |
|---|---|
| 2022 | 48% |
| 2023 | 49% |
| 2024 | 45% |
100
75
50
25
0
How do I fix it?
This test fails when external links opened in a new tab (with target="_blank") lack the rel="noopener" or rel="noreferrer" attributes. Modern browsers (Chrome 88+, Firefox 79+, Safari 12.1+) apply noopener implicitly, so this is largely a defense for older browsers and a way to keep the destination page from running in the same browser process as the original tab. Fixing this issue means adding the attributes explicitly to every external target="_blank" link.
Example
<a href="https://example.com" target="_blank" rel="noopener noreferrer">
External link
</a>Where to make the change
- Application code or templates: search for
target="_blank"and addrel="noopener noreferrer"to each match. A simple find-and-replace handles most cases. - WordPress: the block editor adds
rel="noopener"automatically on every external link opened in a new tab. Older content may need a one-time bulk update. - Shopify, Wix, Squarespace: editor-generated links typically include the rel attributes. Manual HTML embeds need them added.
- Headless or framework sites: wrap external links in a component that always sets the correct rel attributes.
Common causes and how to resolve them
- Hand-written external links missing the attribute: add
rel="noopener noreferrer"to each one. - Old content from before the editor added it automatically: a one-time bulk update through the database or CMS export covers it.
- Markdown-rendered content: configure the renderer to add the attributes to every external link by default.
Best practices
- Use
noopener noreferrertogether:noopenerhandles the security concern,noreferreradditionally hides the referring URL. Both are safe defaults for most external links. - Reserve
target="_blank"for genuinely external links: internal links should open in the same tab so users can use the back button naturally. - Add a lint rule: ESLint plugins for React and similar frameworks can enforce the rel attribute automatically.
