can you use rel=opener with window.open()?

The HTML specification is clear about this, you can check it here.

I will share the first segment of the window.open steps:

The window open steps, given a string url, a string target, and a string features, are as follows:

  1. If the event loop's termination nesting level is nonzero, return null.

  2. Let source browsing context be the entry global object's browsing context.

  3. If target is the empty string, then set target to "_blank".

  4. Let tokenizedFeatures be the result of tokenizing features.

  5. Let noopener and noreferrer be false.

  6. If tokenizedFeatures["noopener"] exists, then:

    1. Set noopener to the result of parsing tokenizedFeatures["noopener"] as a boolean feature.

    2. Remove tokenizedFeatures["noopener"].

  7. If tokenizedFeatures["noreferrer"] exists, then:

    1. Set noreferrer to the result of parsing tokenizedFeatures["noreferrer"] as a boolean feature.

    2. Remove tokenizedFeatures["noreferrer"].

  8. If noreferrer is true, then set noopener to true.

You can see also in this bug tracker, which is tied to the commit that added that, that the edit is only concerned with anchors. I quote

Anchor target=_blank implies rel=noopener

The reason this edit is only done in anchors is because using window.open to trigger this attack would fall into XSS since it requires injecting JavaScript code.

The security issue this bug is concerned with, is that a user can put bad code in a page that you refer to but don't have access to. You can see it doesn't require Same Origin here. Another possible attack vector is when there is user-generated content on your website but this is unlikely since you are likely to escape the user input for XSS.

Final note, this edit is already available for you to test in Chrome Canary.


I do not know how to test this to confirm it works 100% but according to the docs for window.open, the windowFeatures parameter can be passed as comma-separated key-value pairs where you have key=value so you can do noopener=false. If you do this in the current chrome version then the window.opener of the new window is actually the previous window as if you hadn't set anything so I would assume that would work in the new chrome version when it comes out.