hasadna
Adding `noopener` via JavaScript is not secure
While there is a addNoOpener function within the scripts.{ts,js} file that injects noopener into a tags, this cannot be trusted. Linking to this script could be forgotten, the script could fail to load, and/or client browser may not have JavaScript available or enabled.
Those unfimilure with what rel="noopener" does may wish to check documentation from web.dev for more details.
Additionally rel="noreferrer" supposedly does the same thing as noopener while also being more privacy friendly; I believe that this should be placed on every link with target="_blank" to mitigate possible issues with various regions.
As our site requires js to work, I think the right thing to do is to tell users that. So basically, we can then assume the client has js enabled.
Requiring JavaScript to correct link security is not a good idea; scripts could fail to load, or only partially load, or be blocked entirely. This project has no control over what scripts will load properly over client networks, and zero guarantees that linked to sites will remain benevolent.
Assuming that everything on the web will operate as intended, and making that opinion policy, will eventually hurt client experience and may directly harm their security.