This extreme tiny script will prevent the default behaviour of a click on an a-tag with taget="_blank"
, open the link using window.open
and ensure that window.opener = null
.
You are able to set the rel="noreferrer noopener"
attribute on an a-tag. This will also prevent to call window.opener
on the location page. But this will only handle simple links.
<a href="http://example.com" target="_blank" rel="noreferrer noopener">Click me!</a>
Copy the following code in your dev-tools on your webpage and click on the generated link on the bottom of your page. If your page redirect after clicking the generated link, you will need this fix.
(() => {
const a = document.createElement('a');
a.href =
'https://merkle-open.github.io/prevent-window-opener-attacks/example/evil-page.html';
a.target = '_blank';
a.innerHTML = 'Click me!';
document.body.appendChild(a);
})();
Fixes the attack vector on document ready automatically
import('prevent-window-opener-attacks');
Fixes the attack vector on document ready automatically
require('prevent-window-opener-attacks');
Allows to call the fix explicitely
import { preventWindowOpenerAttacks } from 'prevent-window-opener-attacks/src/lib';
preventWindowOpenerAttacks();
Allows to call the fix explicitely
const {
preventWindowOpenerAttacks,
} = require('prevent-window-opener-attacks/dist/lib.js');
preventWindowOpenerAttacks();
Allows to call the fix explicitely
require('prevent-window-opener-attacks/dist/lib.js', function ({
preventWindowOpenerAttacks,
}) {
preventWindowOpenerAttacks();
});