@hint/hint-disown-opener
Advanced tools
hint that that checks if external links disown the opener
disown-opener)disown-opener checks if the rel attribute is specified with both
the noopener and noreferrer values (or only noopener if all the
targeted browsers support it) on
a and area elements that have target="_blank" and link to other
origins.
Links that have target="_blank", such as
<a href="https://example.com" target="_blank"> constitute:
When using target="_blank", the page that was linked to gains
access to the original page’s window.opener.
This allows it to redirect the original page to whatever it wants,
a technique frequently used for malicious attacks on the user.
For example, the user could be redirected to a phishing page
designed to look like the expected page and then asking for login
credentials (see also: tab nabbing).
By adding rel="noopener" (and noreferrer for older browsers)
the window.opener reference won’t be set, removing the ability
for the page that was linked to from redirecting the original one.
Most modern browsers are multi-process. However, in most browsers,
due to the synchronous cross-window access the DOM allows via
window.opener, pages launched via target="_blank" end up in
the same process as the origin page, and that can lead to the pages
experiencing jank.
In Chromium based browsers, using rel="noopener" (or
rel="noreferrer" for older versions),
and thus, preventing the window.opener reference from being set,
allows new pages to be opened in their own process.
Edge is not affected by this.
Notes:
Not all browsers support rel="noopener",
so to ensure that things work as expected in as many
browsers as possible, by default, the hint requires both the
noopener and noreferrer values to be specified. However,
if all the targeted browsers
support noopener, only noopener will be required.
The reason why the hint does not check the same origin links by default is because:
Check Can the hint be configured?
section to see how the hint can be made to also check same origin
links.
In the future there may be a CSP valueless property that will prevent the window.opener reference
from being set.
By default, the hint checks if the rel attribute was specified with
both the noopener and noreferrer values on a and area elements
that have target="_blank" and link to other origins.
If the targeted browsers are specified,
based on their support, the hint might only require the noopener
value.
Let’s presume the original page is https://example1.com.
<a href="http://example1.com/example.html" target="_blank">example</a>
<a href="https://en.example1.com" target="_blank">example</a>
<a href="//example2.com" target="_blank">example</a>
<a href="https://example2.com" target="_blank">example</a>
<img src="example.png" width="10" height="10" usemap="#example">
<map name="example">
<area shape="rect" coords="0,0,5,5" href="http://example3.com/example.html" target="_blank">
</map>
<a href="/" target="_blank">example</a>
<a href="example.html" target="_blank">example</a>
<a href="https://example1.com/example.html" target="_blank">example</a>
<a href="http://example1.com/example.html" target="_blank" rel="noopener noreferrer">example</a>
<a href="https://en.example1.com/example.html" target="_blank" rel="noopener noreferrer">example</a>
<a href="//example2.com" target="_blank" rel="noopener noreferrer">example</a>
<a href="https://example2.com" target="_blank" rel="noopener noreferrer">example</a>
<img src="example.png" width="10" height="10" usemap="#example">
<map name="example">
<area shape="rect" coords="0,0,5,5" href="example.html" target="_blank">
</map>
<img src="example.png" width="10" height="10" usemap="#example">
<map name="example">
<area shape="rect" coords="0,0,5,5" href="http://example3.com/example.html" target="_blank" rel="noopener noreferrer">
</map>
includeSameOriginURLs can be used to specify that same origin URLs
should also include rel="noopener noreferrer".
In the .hintrc file:
{
"connector": {...},
"formatters": [...],
"hints": {
"disown-opener": ["error", {
"includeSameOriginURLs": true
}],
...
},
...
}
Also, note that this hint takes into consideration the targeted
browsers, and if all of them
support the noopener value, the hint won’t require the noreferrer
value.
This package is installed automatically by webhint:
npm install hint --save-dev
To use it, activate it via the .hintrc configuration file:
{
"connector": {...},
"formatters": [...],
"hints": {
"disown-opener": "error",
...
},
"parsers": [...],
...
}
Note: The recommended way of running webhint is as a devDependency of
your project.
FAQs
hint that that checks if external links disown the opener
We found that @hint/hint-disown-opener demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Malicious Go packages are impersonating popular libraries to install hidden loader malware on Linux and macOS, targeting developers with obfuscated payloads.
Security News
Bybit's $1.46B hack by North Korea's Lazarus Group pushes 2025 crypto losses to $1.6B in just two months, already surpassing all of 2024's $1.49B total.
Security News
OpenSSF has published OSPS Baseline, an initiative designed to establish a minimum set of security-related best practices for open source software projects.