prevent-window-opener-attacks

prevent-window-opener-attacks

This extreme tiny script will prevent the default behaviour of a click on an a-tag with taget="_blank", open the link using window.open and ensure that window.opener = null.

Examples

Example without fix

Example with fix

Fix it with the rel attribute

You are able to set the rel="noreferrer noopener" attribute on an a-tag. This will also prevent to call window.opener on the location page. But this will only handle simple links.

<a href="http://example.com" target="_blank" rel="noreferrer noopener">Click me!</a>

Test your own site

Copy the following code in your dev-tools on your webpage and click on the generated link on the bottom of your page. If your page redirect after clicking the generated link, you will need this fix.

(() => {
  const a = document.createElement('a');
  a.href =
    'https://merkle-open.github.io/prevent-window-opener-attacks/example/evil-page.html';
  a.target = '_blank';
  a.innerHTML = 'Click me!';
  document.body.appendChild(a);
})();

Usage

ES Modules

Fixes the attack vector on document ready automatically

import('prevent-window-opener-attacks');

CommonJS & AMDJS

Fixes the attack vector on document ready automatically

require('prevent-window-opener-attacks');

ES Modules - direct call

Allows to call the fix explicitely

import { preventWindowOpenerAttacks } from 'prevent-window-opener-attacks/src/lib';
preventWindowOpenerAttacks();

CommonJS - direct call

Allows to call the fix explicitely

const {
  preventWindowOpenerAttacks,
} = require('prevent-window-opener-attacks/dist/lib.js');
preventWindowOpenerAttacks();

AMD JS - direct call

Allows to call the fix explicitely

require('prevent-window-opener-attacks/dist/lib.js', function ({
  preventWindowOpenerAttacks,
}) {
  preventWindowOpenerAttacks();
});