rel=“noopeneer noreferrer” — typo appears 14× on the war.gov homepage
Every external link on the war.gov homepage uses `rel="noopeneer noreferrer"`. The correct attribute is `noopener`. The typo got copy-pasted into the template and shows up 14 times.
Minor security regression they don’t know about. Browsers ignore the unknown `noopeneer` token and fall back to `noreferrer` only — which means external sites the user navigates to can still touch `window.opener` and trigger reverse tab-napping if a malicious link were ever embedded.
By the numbers
Evidence
Searching the homepage HTML for the literal string noopeneer returns 14 matches. Every one is in a <a rel="noopeneer noreferrer" ...> external link.
The intended attribute is noopener. From MDN: *"Without this, the new page can use window.opener to redirect your page to a phishing URL."* Browsers don’t throw an error on unknown rel tokens — they silently ignore them — so the typo is functionally equivalent to never having added the protection at all.
The same typo is noted as a sub-bullet in finding html-curios for the /UFO/ page; counting across war.gov, it’s pervasive.