Update 8/16/19 – It appears that not long after I published this, Chrome sent an update that now mimics FireFox. In Chrome you now get a new tab that has a URL of “about:blank#blocked”.
So I could see the payload there, but it wouldn’t execute. I was confused. I decided to load up Chrome and see what happens there. To my surprise, although it is what I originally expected, the alert box was displayed.
It turns out, the link tag wasn’t as simple as the above example. Instead it looked more like this:
In the event your testing runs across this same type of scenario, take the time to try different browsers to see if the results change.