no-window-open-without-noopener

Require noopener when calling window.open with a _blank target.

Targeted pattern scope

This rule targets window.open(...) calls where the second argument is the literal target _blank.

What this rule reports

This rule reports _blank window.open(...) calls when the third features argument is missing or does not include noopener.

Why this rule exists

Opening a new tab/window without noopener allows the opened page to access window.opener, which can enable tabnabbing and opener-based navigation abuse.

❌ Incorrect

window.open("https://example.com", "_blank");
window.open("https://example.com", "_blank", "noreferrer");

✅ Correct

window.open("https://example.com", "_blank", "noopener");
window.open("https://example.com", "_blank", "noopener,noreferrer");

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },
  rules: {
   "sdl/no-window-open-without-noopener": "error",
  },
 },
];

When not to use it

Disable only if your codebase avoids _blank navigation entirely or enforces a different audited opener-hardening abstraction.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​