.target() should set noreferrer and noopener

[hilbix]

This probably is a breaking change.

When using E.A.target() this should set the .attr({rel:'noreferrer noopener'}) by default.
There can be some option which reverts this, such that the opened target can refer to opener/referrer.

This is good for following reasons:

• As a nobrainer, it should always be as secure as possible.

  • When A is used with a .target this usually means another window is opened, not the same window
  • When this new window is on a different origin, it should not be able to access window.opener nor the referrer by default for privacy reasons

• If it is needed that the option is not set, you will quickly spot the problem and can fix it by adding the appropriate option.

  • The other way round it is usually just forgotten

Hence adding both options by default is the definitive way to go. Even that this may be a breaking change.

Also noted:

If E.A uses some href which is not some absulute/relative path, this also should be automatic.
Again the argument is the non-brainer. Things always should be secure by default.