Skip to main content

no-window-open-without-noopener

Require noopener when calling window.open with a _blank target.

Targeted pattern scopeโ€‹

This rule targets window.open(...) calls where the second argument is the literal target _blank.

What this rule reportsโ€‹

This rule reports _blank window.open(...) calls when the third features argument is missing or does not include noopener.

Why this rule existsโ€‹

Opening a new tab/window without noopener allows the opened page to access window.opener, which can enable tabnabbing and opener-based navigation abuse.

โŒ Incorrectโ€‹

window.open("https://example.com", "_blank");
window.open("https://example.com", "_blank", "noreferrer");

โœ… Correctโ€‹

window.open("https://example.com", "_blank", "noopener");
window.open("https://example.com", "_blank", "noopener,noreferrer");

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-window-open-without-noopener": "error",
},
},
];

When not to use itโ€‹

Disable only if your codebase avoids _blank navigation entirely or enforces a different audited opener-hardening abstraction.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R026