Make target=_blank imply noopener; support opener

This reduces the number of coupled top-level browsing contexts and thereby reduces the attack surface somewhat.

Tests: web-platform-tests/wpt#15188.

Fixes #4078.

source

@@ -22628,16 +22628,15 @@ document.body.appendChild(wbr);</code></pre>
   <span>unordered set of unique space-separated tokens</span>. The <a href="#linkTypes">allowed
   keywords and their meanings</a> are defined below.</p>
 
-  <p><code data-x="attr-hyperlink-rel">rel</code>'s
-  <span data-x="concept-supported-tokens">supported tokens</span> are the keywords defined in
-  <a href="#linkTypes">HTML link types</a> which are allowed on <code>a</code> and
-  <code>area</code> elements, impact the processing model, and are supported by the user agent. The
-  possible <span data-x="concept-supported-tokens">supported tokens</span> are
-  <code data-x="rel-noreferrer">noreferrer</code> and
-  <code data-x="rel-noopener">noopener</code>.
-  <code data-x="attr-hyperlink-rel">rel</code>'s
-  <span data-x="concept-supported-tokens">supported tokens</span> must only include the tokens from
-  this list that the user agent implements the processing model for.</p>
+  <p><code data-x="attr-hyperlink-rel">rel</code>'s <span
+  data-x="concept-supported-tokens">supported tokens</span> are the keywords defined in <a
+  href="#linkTypes">HTML link types</a> which are allowed on <code>a</code> and <code>area</code>
+  elements, impact the processing model, and are supported by the user agent. The possible <span
+  data-x="concept-supported-tokens">supported tokens</span> are <code
+  data-x="rel-noreferrer">noreferrer</code>, <code data-x="rel-noopener">noopener</code>, and <code
+  data-x="rel-opener">opener</code>. <code data-x="attr-hyperlink-rel">rel</code>'s <span
+  data-x="concept-supported-tokens">supported tokens</span> must only include the tokens from this
+  list that the user agent implements the processing model for.</p>
 
   <p>Other specifications may add <a href="#linkTypes">HTML link types</a> as defined in <a
   href="#other-link-types">Other link types</a>, with the following additional requirements:</p>
@@ -23231,9 +23230,20 @@ document.body.appendChild(wbr);</code></pre>
    <var>targetAttributeValue</var> to the result of <span data-x="get an element's target">getting
    an element's target</span> given <var>subject</var>.</p></li>
 
-   <li><p>Let <var>noopener</var> be true if <var>subject</var>'s <a href="#linkTypes">link
-   types</a> include the <code data-x="rel-noreferrer">noreferrer</code>
-   or <code data-x="rel-noopener">noopener</code> keyword</p></li>
+   <li>
+    <p>Let <var>noopener</var> be true if one of the following is true:</p>
+
+    <ul class="brief">
+     <li><var>subject</var>'s <a href="#linkTypes">link types</a> include the <code
+     data-x="rel-noreferrer">noreferrer</code> or <code data-x="rel-noopener">noopener</code>
+     keyword.</li>
+
+     <li id="opener-processing-model"><var>subject</var>'s <a href="#linkTypes">link types</a> do
+     not include the <code data-x="rel-opener">opener</code> keyword and
+     <var>targetAttributeValue</var> is an <span>ASCII case-insensitive</span> match for "<code
+     data-x="">_blank</code>".</li>
+    </ul>
+   </li>
 
    <li><p>Let <var>target</var> and <var>replace</var> be the result of applying <span>the rules for
    choosing a browsing context</span> given <var>targetAttributeValue</var>, <var>source</var>, and
@@ -23804,6 +23814,17 @@ document.body.appendChild(wbr);</code></pre>
      Additionally, has the same effect as <code data-x="rel-noopener">noopener</code>.</td>
     </tr>
 
+    <tr>
+     <td><code data-x="rel-opener">opener</code></td>
+     <td><em>not allowed</em></td>
+     <td><span data-x="hyperlink annotation">Annotation</span></td>
+     <td class="no"> &middot; </td>
+     <td>Creates an <span>auxiliary browsing context</span> if the hyperlink would otherwise create
+     a <span>top-level browsing context</span> that is not an <span>auxiliary browsing
+     context</span> (i.e., has "<code data-x="">_blank</code>" as <code
+     data-x="attr-hyperlink-target">target</code> attribute value).</td>
+    </tr>
+
     <tr>
      <td><code data-x="rel-pingback">pingback</code></td>
      <td><span data-x="external resource link">External Resource</span></td>
@@ -24558,9 +24579,9 @@ document.body.appendChild(wbr);</code></pre>
   context</span>. E.g., its <code data-x="dom-opener">window.opener</code> attribute will be
   null.</p>
 
-  <p class="note">See also the <a href="#noopener">processing model</a> where the branching between
-  an <span>auxiliary browsing context</span> and a <span>top-level browsing context</span> is
-  defined.</p>
+  <p w-nodev  class="note">See also the <a href="#noopener">processing model</a> where the branching
+  between an <span>auxiliary browsing context</span> and a <span>top-level browsing context</span>
+  is defined.</p>
 
   <div class="example">
    <p>This typically creates an <span>auxiliary browsing context</span> (assuming there is no
@@ -24607,6 +24628,29 @@ document.body.appendChild(wbr);</code></pre>
   </div>
 
 
+  <h5>Link type "<dfn><code data-x="rel-opener">opener</code></dfn>"</h5>
+
+  <p>The <code data-x="rel-opener">opener</code> keyword may be used with <code>a</code> and
+  <code>area</code> elements. This keyword does not create a <span>hyperlink</span>, but <span
+  data-x="hyperlink annotation">annotates</span> any other hyperlinks created by the element (the
+  implied hyperlink, if no other keywords create one).</p>
+
+  <p>The keyword indicates that any newly created <span>top-level browsing context</span> which
+  results from following the <span>hyperlink</span> will be an <span>auxiliary browsing
+  context</span>.</p>
+
+  <p w-nodev class="note">See also the <a href="#opener-processing-model">processing model</a>.</p>
+
+  <div class="example">
+   <p>In the following example the <code data-x="rel-opener">opener</code> is used to allow the help
+   page popup to navigate its opener, e.g., in case what the user is looking for can be found
+   elsewhere. An alternative might be to use a named target, rather than <code
+   data-x="">_blank</code>, but this has the potential to clash with existing names.</p>
+
+   <pre><code class="html" data-x="">&lt;a href="..." <mark>rel=opener</mark> target=_blank>Help!&lt;/a></code></pre>
+  </div>
+
+
   <h5>Link type "<dfn><code data-x="rel-pingback">pingback</code></dfn>"</h5>
 
   <p>The <code data-x="rel-pingback">pingback</code> keyword may be used with <code>link</code>