About rel=noopener

&gt; Note that this also works when index.html and malicious.html are on different origins — window.opener.location is accessible across origins!<p>... Why. Why would anyone (not maliciously) consider this desirable behaviour?

This is the new pop-under. Sites trying to serve as many ads as possible will open links with target=_blank and redirect the old window to an ad.

Ths is a problem for Browsers, not developers. target=_blank is too embedded into the web.

What is the correct way to force a link to open in a new tab, then?<p>Unfortunately &quot;let the user decide&quot; is not the best answer if you want to link to something like &quot;terms and conditions&quot; in the middle of a sign up flow or something. If the user doesn&#x27;t know how to open it in a new tab on their own, this can be extremely frustrating I&#x27;d imagine.

Well I just had an &quot;Oh sh*t&quot; moment thinking about all the websites I built over the years at my old company that had target=_blank to commentors sites... Aw crap.<p>Not my problem anymore, but I never even considered this.

Is there a practical reason that a reference to the opener window is given to the opened window? That seems like something we could do without.

This is a pretty old bug, I think I reported it a few years ago to Google.<p>EDIT: 2013 to be exact.

If you open a page of your own site that then redirects to the target (like some pages do, presumably to hide the exact source URL in the referer-header before there was a header for it), is the opener-reference broken?

I&#x27;m using Chromium and even the link with `rel=noopener` seems to be able to &quot;hax&quot; the first page. Am I reading it wrong or is `rel=noopener` supposed to protect against this?

Note that all the opened page has control over is closing and changing the address of the tab. You can&#x27;t insert HTML into the page, for example. Phishing seems to be the only problem this creates, but no more.

I built a quick userscript that treats rel=&quot;noopener&quot; as default for links with target:&quot;_blank&quot;.<p>It could be worth checking out if you want to avoid experiencing this security issue yourself (but I offer no warranties) or if you want to see if it would break any site you visit if browsers would enable the behavior by default.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;jaredsohn&#x2F;noopener_by_default" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jaredsohn&#x2F;noopener_by_default</a>

They ever heard of &quot;security by default&quot;? I guess no.

NoScript saves the day again.

Some time ago I was surprised that my Google Search page was replaced by something else after I returned from some spammy page (opened in another tab).<p>As the browser I use, Opera 12, also treats all links manually opened in the new tab as if they had target=&quot;_blank&quot;, giving them opener access, I decided to remove the window.opener altogether by replacing the &quot;opener&quot; string with &quot;opera&quot; in the opera.dll. This way it gets overwritten by the normal window.opera variable and is essentially hidden. So far I haven&#x27;t encountered a site legitimately relying on this behavior.

wouldn&#x27;t a simple solution be &lt;base rel=&quot;noopener&quot;&gt;

In the right circumstances, which as far as I can tell are when crossing between security zones, Internet Explorer and Edge already seem to block this. I&#x27;ve never been able to pin down exactly what&#x27;s happening, or to get Google login to work on our intranet sites with IE as a result.

There should be an option in content security policy to prevent this on all links.

<i>sigh</i> This is a perfect example of a title that should <i>not</i> have been changed. The original was objectively better than the current one. If you don&#x27;t already know what rel=noopener is, you&#x27;d have no reason at all to click through on this. But the earlier title actually explained something <i>about</i> the content on the other end of the link.

Does this &quot;work&quot; for cross origin requests? If I plant a `target=_blank` in my website, user clicks it, goes to my second website, do I have control over the website the link came from? If not, I don&#x27;t see the security issue. Of course you can XSS yourself, what have you.