The window.open() call now supports the feature "noopener".
So calling window.open('https://www.your.url','_blank','noopener') should open the new window/tab with a null window.opener.
I'm having trouble finding a reliable list of supporting browsers (and versions) - MDN states here that
This is supported in modern browsers including Chrome, and Firefox 52+.
From my experimentation, I see it works for:
- Chrome 61
- FireFox 56
- Safari 11.1 (thanks Jiayi Hu for this)
But doesn't work for:
- IE 11.608
- Edge 40
(All tests on a PC running Windows 10...)
For backwards compatibility it may be better to combine this with t3__rry's answer.
Answer from G0BLiN on Stack Overflow Top answer 1 of 6
107
The window.open() call now supports the feature "noopener".
So calling window.open('https://www.your.url','_blank','noopener') should open the new window/tab with a null window.opener.
I'm having trouble finding a reliable list of supporting browsers (and versions) - MDN states here that
This is supported in modern browsers including Chrome, and Firefox 52+.
From my experimentation, I see it works for:
- Chrome 61
- FireFox 56
- Safari 11.1 (thanks Jiayi Hu for this)
But doesn't work for:
- IE 11.608
- Edge 40
(All tests on a PC running Windows 10...)
For backwards compatibility it may be better to combine this with t3__rry's answer.
2 of 6
35
Use
const yourWindow = window.open();
yourWindow.opener = null;
yourWindow.location = "http://someurl.here";
Credit goes to Mathias Bynens: https://mathiasbynens.github.io/rel-noopener/
MDN Web Docs
developer.mozilla.org › en-US › docs › Web › API › Window › open
Window: open() method - Web APIs | MDN
If this feature is set, the new window will not have access to the originating window via Window.opener and returns null. When noopener is used, non-empty target names, other than _top, _self, and _parent, are treated like _blank in terms of deciding whether to open a new browsing context. ... If this feature is set, the browser will omit the Referer header, as well as set noopener to true. See rel="noreferrer" for more information.
Dillion's Blog
dillionmegida.com › p › noopener-noreferrer
noopener noreferrer - What do these mean and how does it improve web security? - Dillion's Blog
In this simplified article, we'll learn the importance of this technique for improving web application security. This attribute and value tells a link to open it's referenced page in a new tab or a new window when clicked.
JavaScript in Plain English
javascript.plainenglish.io › when-to-use-noopener-or-noreferrer-and-the-difference-between-the-two-d4aa809f83f
When To Use “noopener” Or “noreferrer” And The Difference Between Them | by Adam Workman | JavaScript in Plain English
April 22, 2021 - In an anchor tag, we use the rel ... a linked resource. When opening the linked resource in a new tab or window (target=”_blank”), we use the rel attribute with the values noopener and/or noreferrer....
Elementor
elementor.com › blog › resources › what does the rel=”noopener noreferrer” tag mean?
What Does The rel="noopener noreferrer" Tag Mean?
December 27, 2025 - Sensitive websites (e.g., healthcare, financial) might not want the referrer URL to be openly transmittable. Users concerned about their browsing history being traced might prefer to limit the data websites receive about them. With a foundation in HTML links, potential vulnerabilities, and referrer information, we’re ready to explore how “noopener” and “noreferrer” help mitigate these risks. The core function: The “noopener” tag severs the JavaScript connection (established through window.opener) between the new tab/window and the original website.
MDN Web Docs
developer.mozilla.org › en-US › docs › Web › HTML › Reference › Attributes › rel › noopener
rel="noopener" - HTML | MDN
The noopener keyword for the rel attribute of the <a>, <area>, and <form> elements instructs the browser to navigate to the target resource without granting the new browsing context access to the document that opened it — by not setting the Window.opener property on the opened window (it ...
Chrome Platform Status
chromestatus.com › feature › 4811343616016384
Support noreferrer attribute for window.open()
We cannot provide a description for this page right now
Mathiasbynens
mathiasbynens.github.io › rel-noopener
About rel=noopener
This ensures window.opener is null in Chrome 49 & Opera 36, Firefox 52, Desktop Safari 10.1+, and iOS Safari 10.3+. Click me!!1 (now with rel=noopener) For older browsers, you could use rel=noreferrer which also disables the Referer HTTP header, or the following JavaScript work-around which ...
Point Jupiter
pointjupiter.com › home › blog › explained: noopener, noreferrer, and nofollow values
Explained: noopener, noreferrer, and nofollow Values - Point Jupiter
April 3, 2025 - They are noreferrer, noopener, and nofollow. rel="noopener" you use on all links opening in new tabs using the target _blank. There are security implications if you don’t use the noopener value on your links opening in new tabs. A malicious attacker can use the window.opener object to change the content and location of the originating page.
DEV Community
dev.to › digvijaysingh › how-to-open-a-new-tab-or-window-using-javascript-5ebc
How to Open a New Tab or Window using Javascript? - DEV Community
October 23, 2020 - window.open('https://holycoders.com', '_blank', 'noopener,height=600,width=960,scrollbars=yes');
JsCraft
js-craft.io › home › window.open() and target=”_blank” have a security vulnerability
Window.open() and target="_blank" have a security vulnerability
January 20, 2023 - For example, it can use the window.opener.location to point the user of the initial page to a fake phishing site that mimics the looks of the original and do all kinds of nasty stuff. This can be very efficient given that the user trusts the page that is already opened. ... later edit: it seems that noreferrer is now redundant, so noopener should be enough for the HTML use.
DEV Community
dev.to › dhilipkmr › why-should-you-use-noopener-beware-of-security-flaws-3i57
Why should you use "noopener"? Beware of security Flaws. - DEV Community
August 17, 2019 - By default, the new version of Safari removes window.opener when used with anchor tag for all cases, to pass the window info to the new tab you have to explicitly specify rel='opener' Checkout the live implementation example here: Live Demo · None shall bypass your Security. ... Thats all Folks!!! ... I've been using noopener and noreferrer for years now, but never really understanding why.
Rank Math
rankmath.com › home › noopener
What is Noopener? » Rank Math
The noopener attribute (rel="noopener") ... attribute (rel="noreferrer"), on the other hand, instructs the browser to remove the Referer header when opening the new window....
Top answer 1 of 4
12
Another approach that will solve this in one line is to access the opener property directly and set it to null to make use of the fact that window.open() returns a Window object. This will work across all browsers to open a new tab with a null window.opener.
window.open(url, '_blank').opener = null;
2 of 4
8
Honestly i think your code is fine but you can try a different implementation:
var yourWindow = window.open();
yourWindow.opener = null;
yourWindow.location = "http://someurl.here";
yourWindow.target = "_blank";
GitHub
github.com › whatwg › html › issues › 7485
Modernized version of window.open() API · Issue #7485 · whatwg/html
January 11, 2022 - window.openWindow(url, { allowOpenerAccess, referrerPolicy }); window.openPopup(url, { left, top, width, height, allowOpenerAccess, referrerPolicy }); ... Allow any referrer policy, not just no-referrer (the latter is possible via today's noreferrer ...
Author domenic
Bishtbytes
bishtbytes.com › article › securely-opening-links-understanding-rel-noopener-noreferrer
Securely opening links and understanding rel="noopener noreferrer"
Solution: `rel="noopener noreferrer"` What Each Attribute Does: Opening Pages Programmatically with `window.open()` **Insecure Example** (Risky) **Secure Example** **Alternative Secure Approach** When Should You Use `noreferrer`? Conclusion · Page Views: - security web html ·
Jakearchibald
jakearchibald.com › 2016 › performance-benefits-of-rel-noopener
The performance benefits of rel=noopener - JakeArchibald.com
However, due to the synchronous cross-window access the DOM gives us via window.opener, windows launched via target="_blank" end up in the same process & thread. The same is true for iframes and windows opened via window.open. rel="noopener" prevents window.opener, so there's no cross-window access.
GitHub
github.com › whatwg › html › issues › 4078
Windows opened via <a target=_blank> should not have an opener by default · Issue #4078 · whatwg/html
October 10, 2018 - Windows opened via currently have an opener unless specified otherwise via rel="noopener". While most developers expect a window opened via window.open() to have a...
Author cdumez
GitHub
github.com › XGovFormBuilder › digital-form-builder › issues › 387
Add rel="noopener noreferrer" to this link to prevent the original page from being modified by the opened link. · Issue #387 · XGovFormBuilder/digital-form-builder
January 15, 2021 - To prevent pages from abusing window.opener, use rel=noopener on <a href=> to force its value to be null on the opened pages. With this in place, window.opener is null in Chrome 49+, Opera 36+, Firefox 52+, Desktop Safari 10.1+, and iOS Safari ...
Author nattrass