Via HackerOne. See https://hackerone.com/reports/317243.
We're still detecting these wrong because browsers treat <a href=" /<newline><tab>\evil.com">click here</a> as a valid protocol-relative link to evil.com.
Just give up and add "noreferrer" at the application level at all callsites, like we do with target="_blank" already.