When clicking a link to a JavaScript URL, should the JavaScript URL execute in the same-origin? E.g., should document.domain be the same as the opening page?
It has to be, for historical back compat, I suppose
Example: <a href="javascript:alert(document.domain)">
What if the <A> element is target=_blank?
It does not inherit in Chrome, but it did in Firefox. Chrome opens a new Tab of about:blank#blocked
Update: Firefox fixed this in bug 1694993, tracking Firefox 107.
Example: <a href="javascript:alert(document.domain)" target="_blank">
We know that target=_blank implies rel=noopener as of (somewhat) recently. Is this connected?
It seems so. Explicit rel=opener does inherit the origin and alerts the same domain in both browsers.
Example: <a href="javascript:alert(document.domain)" target="_blank">