The window.open() call now supports the feature "noopener".
So calling window.open('https://www.your.url','_blank','noopener') should open the new window/tab with a null window.opener.
I'm having trouble finding a reliable list of supporting browsers (and versions) - MDN states here that
This is supported in modern browsers including Chrome, and Firefox 52+.
From my experimentation, I see it works for:
- Chrome 61
- FireFox 56
- Safari 11.1 (thanks Jiayi Hu for this)
But doesn't work for:
- IE 11.608
- Edge 40
(All tests on a PC running Windows 10...)
For backwards compatibility it may be better to combine this with t3__rry's answer.
Answer from G0BLiN on Stack Overflow Top answer 1 of 6
107
The window.open() call now supports the feature "noopener".
So calling window.open('https://www.your.url','_blank','noopener') should open the new window/tab with a null window.opener.
I'm having trouble finding a reliable list of supporting browsers (and versions) - MDN states here that
This is supported in modern browsers including Chrome, and Firefox 52+.
From my experimentation, I see it works for:
- Chrome 61
- FireFox 56
- Safari 11.1 (thanks Jiayi Hu for this)
But doesn't work for:
- IE 11.608
- Edge 40
(All tests on a PC running Windows 10...)
For backwards compatibility it may be better to combine this with t3__rry's answer.
2 of 6
35
Use
const yourWindow = window.open();
yourWindow.opener = null;
yourWindow.location = "http://someurl.here";
Credit goes to Mathias Bynens: https://mathiasbynens.github.io/rel-noopener/
MDN Web Docs
developer.mozilla.org › en-US › docs › Web › API › Window › open
Window: open() method - Web APIs | MDN
If this feature is set, the new window will not have access to the originating window via Window.opener and returns null. When noopener is used, non-empty target names, other than _top, _self, and _parent, are treated like _blank in terms of deciding whether to open a new browsing context. ... If this feature is set, the browser will omit the Referer header, as well as set noopener to true. See rel="noreferrer" for more information.
Rel noopener issue on window.open
RSPEC-5148 Why do you believe it’s a false-positive/false-negative? adding a windowFeatures string with noopener,noreferrer triggers the rule, even the MDN says that it’s valid. Additionally, setting the window.opener property to null as specified by the reference links in the rule info ... More on community.sonarsource.com
1
0
September 5, 2024Window.open with 'noopener' opens a new window instead of a new tab
const anchor = document.create... rel: 'noopener noreferrer' }) .click() This is the method which feels a bit cleaner. It creates an anchor tag and clicks it, we have to use this workaround as its a user preference. ... Find the answer to your question by asking. Ask question ... See similar questions with these tags. ... Please welcome V2Blast back to the Community Team! ... How do open-source projects ... More on stackoverflow.com
Modernized version of window.open() API
window.open() is full of legacy design mistakes. Here is a proposal for what, IMO, it should look like: · In particular such a clean slate would: More on github.com
15
January 11, 2022noopener window.open feature seems pretty broken as implemented in browsers
Trying to use it gives a very broken window because it turns off all the other window features, in both Firefox and Chrome. Furthermore, it forces the new window into a separate window, not a tab, ... More on github.com
19
October 14, 2016Dillion's Blog
dillionmegida.com › p › noopener-noreferrer
noopener noreferrer - What do these mean and how does it improve web security? - Dillion's Blog
August 9, 2020 - noopener and noreferrer are two values for the rel attribute in anchor tags that ensures the new page has no information or access to the previous page
JavaScript in Plain English
javascript.plainenglish.io › when-to-use-noopener-or-noreferrer-and-the-difference-between-the-two-d4aa809f83f
When To Use “noopener” Or “noreferrer” And The Difference Between Them | by Adam Workman | JavaScript in Plain English
April 22, 2021 - What if opening that link in a new tab is absolutely necessary, or you would just prefer it to open in a new tab · Join Medium for free to get updates from this writer. ... That’s where noopener and noreferrer come in. ... The values noopener and noreferrer belong to the rel attribute, and they tell the browser NOT to set the window.open property when opening a link in a new tab/window.
MDN Web Docs
developer.mozilla.org › en-US › docs › Web › HTML › Reference › Attributes › rel › noopener
rel="noopener" - HTML - MDN Web Docs - Mozilla
The noopener keyword for the rel attribute of the , , and elements instructs the browser to navigate to the target resource without granting the new browsing context access to the document that opened it — by not setting the Window.opener property on the opened window (it returns null).
Mathiasbynens
mathiasbynens.github.io › rel-noopener
About rel=noopener
This ensures window.opener is null in Chrome 49 & Opera 36, Firefox 52, Desktop Safari 10.1+, and iOS Safari 10.3+. Click me!!1 (now with rel=noopener) For older browsers, you could use rel=noreferrer which also disables the Referer HTTP header, or the following JavaScript work-around which potentially triggers the popup blocker:
Elementor
elementor.com › blog › resources › what does the rel=”noopener noreferrer” tag mean?
What Does The rel="noopener noreferrer" Tag Mean?
December 27, 2025 - Sensitive websites (e.g., healthcare, financial) might not want the referrer URL to be openly transmittable. Users concerned about their browsing history being traced might prefer to limit the data websites receive about them. With a foundation in HTML links, potential vulnerabilities, and referrer information, we’re ready to explore how “noopener” and “noreferrer” help mitigate these risks. The core function: The “noopener” tag severs the JavaScript connection (established through window.opener) between the new tab/window and the original website.
Chrome Platform Status
chromestatus.com › feature › 4811343616016384
Support noreferrer attribute for window.open()
Sign in with GoogleSign in with Google. Opens in new tab
DEV Community
dev.to › dhilipkmr › why-should-you-use-noopener-beware-of-security-flaws-3i57
Why should you use "noopener"? Beware of security Flaws. - DEV Community
August 17, 2019 - By default, the new version of Safari removes window.opener when used with anchor tag for all cases, to pass the window info to the new tab you have to explicitly specify rel='opener' Checkout the live implementation example here: Live Demo · None shall bypass your Security. ... Thats all Folks!!! ... I've been using noopener and noreferrer for years now, but never really understanding why.
DEV Community
dev.to › digvijaysingh › how-to-open-a-new-tab-or-window-using-javascript-5ebc
How to Open a New Tab or Window using Javascript? - DEV Community
October 23, 2020 - window.open('https://holycoders.com', '_blank', 'noopener,height=600,width=960,scrollbars=yes');
Point Jupiter
pointjupiter.com › home › blog › explained: noopener, noreferrer, and nofollow values
Explained: noopener, noreferrer, and nofollow Values - Point Jupiter
April 3, 2025 - Instructs the browser to open the link without granting the new browsing context access to the document that opened it — by not setting the window.opener on the opened window (it returns null).
JsCraft
js-craft.io › home › window.open() and target=”_blank” have a security vulnerability
Window.open() and target="_blank" have a security vulnerability
January 20, 2023 - For example, it can use the window.opener.location to point the user of the initial page to a fake phishing site that mimics the looks of the original and do all kinds of nasty stuff. This can be very efficient given that the user trusts the page that is already opened. ... later edit: it seems that noreferrer is now redundant, so noopener should be enough for the HTML use.
Rank Math
rankmath.com › home › noopener
What is Noopener? » Rank Math
The noopener attribute (rel="noopener") ... attribute (rel="noreferrer"), on the other hand, instructs the browser to remove the Referer header when opening the new window....
Top answer 1 of 4
12
Another approach that will solve this in one line is to access the opener property directly and set it to null to make use of the fact that window.open() returns a Window object. This will work across all browsers to open a new tab with a null window.opener.
window.open(url, '_blank').opener = null;
2 of 4
8
Honestly i think your code is fine but you can try a different implementation:
var yourWindow = window.open();
yourWindow.opener = null;
yourWindow.location = "http://someurl.here";
yourWindow.target = "_blank";
Bishtbytes
bishtbytes.com › article › securely-opening-links-understanding-rel-noopener-noreferrer
Securely opening links and understanding rel="noopener noreferrer"
Solution: `rel="noopener noreferrer"` What Each Attribute Does: Opening Pages Programmatically with `window.open()` **Insecure Example** (Risky) **Secure Example** **Alternative Secure Approach** When Should You Use `noreferrer`? Conclusion · Page Views: - security web html ·
GitHub
github.com › whatwg › html › issues › 7485
Modernized version of window.open() API · Issue #7485 · whatwg/html
January 11, 2022 - window.openWindow(url, { allowOpenerAccess, referrerPolicy }); window.openPopup(url, { left, top, width, height, allowOpenerAccess, referrerPolicy }); ... Allow any referrer policy, not just no-referrer (the latter is possible via today's noreferrer ...
Author domenic
MDN Web Docs
developer.mozilla.org › en-US › docs › Web › HTML › Attributes › rel › noopener
rel="noopener" - HTML | MDN
The noopener keyword for the rel attribute of the , , and elements instructs the browser to navigate to the target resource without granting the new browsing context access to the document that opened it — by not setting the Window.opener property on the opened window (it returns null).
GitHub
github.com › whatwg › html › issues › 1902
noopener window.open feature seems pretty broken as implemented in browsers · Issue #1902 · whatwg/html
October 14, 2016 - Trying to use it gives a very broken window because it turns off all the other window features, in both Firefox and Chrome. Furthermore, it forces the new window into a separate window, not a tab, because it's turning off all the other f...
Author bzbarsky
DeepSource
deepsource.com › directory › javascript › issues › JS-0422
Avoid `target='_blank'` attribute without `rel='noopener noreferrer'` (JS-0422) ・ JavaScript
When creating a JSX element with a tag, it is often desired to have the link open in a new tab using the target='_blank' attribute. Using this attribute unaccompanied by rel='noreferrer', however, is a severe security vulnerability. Using target='_blank' links grants the page we are linking to a partial access to the source page via the window.opener object.