prevent-window-opener-attacks
This extreme tiny script will prevent the default behaviour of a click on an a-tag with taget="_blank"
, open the link using window.open
and ensure that window.opener = null
.
Examples
Fix it with the rel attribute
You are able to set the rel="noreferrer noopener"
attribute on an a-tag. This will also prevent to call window.opener
on the location page. But this will only handle simple links.
<a href="http://example.com" target="_blank" rel="noreferrer noopener">Click me!</a>
Test your own site
Copy the following code in your dev-tools on your webpage and click on the generated link on the bottom of your page. If your page redirect after clicking the generated link, you will need this fix.
(() => {
const a = document.createElement('a');
a.href =
'https://merkle-open.github.io/prevent-window-opener-attacks/example/evil-page.html';
a.target = '_blank';
a.innerHTML = 'Click me!';
document.body.appendChild(a);
})();
Usage
ES Modules
Fixes the attack vector on document ready automatically
import('prevent-window-opener-attacks');
CommonJS & AMDJS
Fixes the attack vector on document ready automatically
require('prevent-window-opener-attacks');
ES Modules - direct call
Allows to call the fix explicitely
import { preventWindowOpenerAttacks } from 'prevent-window-opener-attacks/src/lib';
preventWindowOpenerAttacks();
CommonJS - direct call
Allows to call the fix explicitely
const {
preventWindowOpenerAttacks,
} = require('prevent-window-opener-attacks/dist/lib.js');
preventWindowOpenerAttacks();
AMD JS - direct call
Allows to call the fix explicitely
require('prevent-window-opener-attacks/dist/lib.js', function ({
preventWindowOpenerAttacks,
}) {
preventWindowOpenerAttacks();
});