merkle-open / prevent-window-opener-attacks Goto Github PK

'Marcos Imbuerger' described the underlying issue very well back in 2019. Since the beginning of 2021 this bug seems to bo fixed for modern browsers as pointed out on Stackoverflow with reference to chromestatus.com. The target=_blank Anchor does imply rel=noopener in all modern browsers by default. Quote: "All current versions of major browsers" now automatically fix this issue by automatically adding the behavior of rel="noopener" for any target="_blank" link. The new browser behaviour will be nullifying this issue.

The example links were not moved to the new project

Hello! Nice work on your library here. I wanted to let you know that I used your github page as a way to test an internal tool I am developing as well for window.opener. I found a bug around safari that I wanted to let you know about. It turns out that setting window.opener = null (which is also the same in my current implementation) does not actually work if the new window is a different origin. In fact when you do call window.opener = null in this scenario you get an error in the console TypeError: null is not an object Which I think is actually a red-herring error. I think it's actually hiding a cross origin security error.

So with that, we both have a bug, and I am not sure what the solution looks like yet. Will let you know if I get a good answer