Assuming I have this HTML code:
<a href="mailto:me@example.org" target="_blank"></a>
As far as I know, for security and privacy reason, best practices tells I have to add rel="noopener noreferrer"
on every link that goes outside. Do I have to consider a mailto
link as an external link?
Within a mail message, I think it won't make any difference. Referrer headers include the URL of the location of the source link - but an email message does not have a URL, so I'd expect the referrer header to be empty or absent in that case.
It's not possible to use things like navigator.registerProtocolHandler
in an email client because they typically don't support any kind of scripting. When you're using a webmail client this might behave differently, but I've not tested that.
Going the other direction, if you have a web page containing the mailto link that gets sent to a mail client, I've never seen a mail client that does anything with a referrer URL, again, because it's not an HTTP client and is not handling an HTTP request, but a protocol hand-off.
Overall setting rel="noopener noreferrer"
will not harm your links, but I suspect it won't do anything useful or interesting from a functionality or security point of view either.
You can better understand it here: https://mathiasbynens.github.io/rel-noopener/
Short answer: no need, since the link doesn't open a new window
which could (ab)use the window.opener
issue explained in the link above.
UPDATE: As op pointed out - my assumption that a mail client will handle the mailto:
links was wrong. One could have used navigator.registerProtocolHandler
to make a web app handle these links (or any other links for that matter). Thus, I would say you should add rel="noopener noreferrer"
as originally proposed.