I know you can use "noopener" with window.open, which explicitly tells your browser to forbid the child window from accessing the parent window. This should have the affect of using rel="noopener" in a hyperlink.

However, Chrome 88 is soon (2021?) going to make "noopener" the default.

So is there a way to do the opposite, and explicitly set it to "opener"? So that the child window DOES have access to the parent window? I'm hoping to fix my link before it breaks with the newest Chrome.

I assume it'd be the code below? I'm not sure how I'd test this before the next version of Chrome releases. But I also don't want to wait to make this change until after my link breaks with the next release.

window.open(url,'_blank','toolbar=1,menubar=1,location=1,status=1,scrollbars=1,opener')    

or

window.open(url,'_blank','toolbar=1,menubar=1,location=1,status=1,scrollbars=1', 'opener')

I know you can use "noopener" with window.open, which explicitly tells your browser to forbid the child window from accessing the parent window. This should have the affect of using rel="noopener" in a hyperlink.

However, Chrome 88 is soon (2021?) going to make "noopener" the default.

So is there a way to do the opposite, and explicitly set it to "opener"? So that the child window DOES have access to the parent window? I'm hoping to fix my link before it breaks with the newest Chrome.

I assume it'd be the code below? I'm not sure how I'd test this before the next version of Chrome releases. But I also don't want to wait to make this change until after my link breaks with the next release.

window.open(url,'_blank','toolbar=1,menubar=1,location=1,status=1,scrollbars=1,opener')    

or

window.open(url,'_blank','toolbar=1,menubar=1,location=1,status=1,scrollbars=1', 'opener')

• javascript
• html
• window.open

• I didn't find references to this here. Where did you read that this would soon be the default? – pushkin Commented Jan 18, 2021 at 22:29
• Oh, see it here – pushkin Commented Jan 18, 2021 at 22:30
• I imagine we'll just have to wait for the official Chrome blog post to tell us how to enable it when it es out – pushkin Commented Jan 18, 2021 at 22:32
• @NL3294 is there a problem in my answer? – Abkarino Commented Jan 21, 2021 at 15:51

2 Answers 2

The HTML specification is clear about this, you can check it here.

I will share the first segment of the window.open steps:

The window open steps, given a string url, a string target, and a string features, are as follows:

1. If the event loop's termination nesting level is nonzero, return null.

2. Let source browsing context be the entry global object's browsing context.

3. If target is the empty string, then set target to "_blank".

4. Let tokenizedFeatures be the result of tokenizing features.

5. Let noopener and noreferrer be false.

6. If tokenizedFeatures["noopener"] exists, then:

   1. Set noopener to the result of parsing tokenizedFeatures["noopener"] as a boolean feature.

   2. Remove tokenizedFeatures["noopener"].

7. If tokenizedFeatures["noreferrer"] exists, then:

   1. Set noreferrer to the result of parsing tokenizedFeatures["noreferrer"] as a boolean feature.

   2. Remove tokenizedFeatures["noreferrer"].

8. If noreferrer is true, then set noopener to true.

You can see also in this bug tracker, which is tied to the mit that added that, that the edit is only concerned with anchors. I quote

Anchor target=_blank implies rel=noopener

The reason this edit is only done in anchors is because using window.open to trigger this attack would fall into XSS since it requires injecting JavaScript code.

The security issue this bug is concerned with, is that a user can put bad code in a page that you refer to but don't have access to. You can see it doesn't require Same Origin here. Another possible attack vector is when there is user-generated content on your website but this is unlikely since you are likely to escape the user input for XSS.

Final note, this edit is already available for you to test in Chrome Canary.

I do not know how to test this to confirm it works 100% but according to the docs for window.open, the windowFeatures parameter can be passed as ma-separated key-value pairs where you have key=value so you can do noopener=false. If you do this in the current chrome version then the window.opener of the new window is actually the previous window as if you hadn't set anything so I would assume that would work in the new chrome version when it es out.