A while back I ran across an interesting security hole
<a href="http://someurl.here" target="_blank">Link</a>
Looks innocuous enough, but there's a hole because, by default, the page that's being opened is allowing the opened page to call back into it via window.opener
. There are some restrictions, being cross-domain, but there's still some mischief that can be done
window.opener.location = 'http://gotcha.badstuff';
Now, HTML has a workaround
<a href="http://someurl.here" target="_blank" rel="noopener noreferrer">Link</a>
That prevents the new window from having window.opener
passed to it. That's fine and good for HTML, but what if you're using window.open
?
<button type="button" onclick="window.open('http://someurl.here', '_blank');">
Click Me
</button>
How would you block the use of window.opener
being passed here?
The window.open()
call now supports the feature "noopener".
So calling window.open('https://www.your.url','_blank','noopener')
should open the new window/tab with a null window.opener
.
I'm having trouble finding a reliable list of supporting browsers (and versions) - MDN states here that
This is supported in modern browsers including Chrome, and Firefox 52+.
From my experimentation, I see it works for:
But doesn't work for:
(All tests on a PC running Windows 10...)
For backwards compatibility it may be better to combine this with t3__rry's answer.