Reduce the risk of falling victim to phishing attacks.
Any website that uses target="_blank" on their links, allows user generated content and doesn't use the rel="noopener" attribute on their links (I'm looking at you Facebook, Twitter etc.) is vulnerable to a scarily simple phishing attack. For an example of this kind of attack, view this example that I've made: https://jamiefarrelly.github.io/Rel-NoOpener-Example/ This Chrome extension is as simple as it gets, all it does is add "noopener noreferrer" to the rel attribute on all links on the pages that you're visiting so that you won't fall victim to this type of phishing attack. Open source on Github https://github.com/JamieFarrelly/No-Opener-No-Phishers
- (2021-06-29) John Doe: PSA: This is no longer required if you're on version 88 or newer on any platform that uses Chromium (e.g. Chrome, New Edge, Brave, etc.). https://www.chromestatus.com/feature/6140064063029248
- (2021-02-01) Sam Prince: This feature is now baked into Chrome so the extension can be removed for most purposes. Where a site links to a target other than "_blank", e.g. "_potato" the same security issue still exists. Not sure if this extension only works with _blank links
- (2020-12-05) Madis: No longer needed since Chrome 88! (see crbug 898942 for details) Thanks for creating this extension.
- (2020-01-29) Robert Stewart: Simple and effective. Successfully tested at https://mathiasbynens.github.io/rel-noopener/ in Vivaldi 2.10.1745.27 (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.131 Safari/537.36).
- (2019-07-18) Lecoin Names: works fine and nice extension!
- (2019-06-10) Dan Atkinson: This does exactly what you'd want and expect it to do. The actual code is a single line of JS to simply add the 'noopener', and 'noreferrer' attributes to all links with a target of _blank. It's a clean and simple extension that should be baked directly into Chrome itself.
- (2018-01-18) DBS MGMT: It does what it says. You can check (and better understand) its effectiveness on this website: https://mathiasbynens.github.io/rel-noopener/ Thanks Jamie.
- (2017-10-13) Thanks Jamie! Glad to have this protection in Chrome.
- (2020-10-11, v:2) Stanton McCandlish: Another issue, and some questions
In addition to the comments already here, I note that other extensions (for this and other browsers) only apply fixes like this to links that have target="_blank" (or the technically invalid target=_blank without the quotation marks). Is there proof that the noopener tweak is needed beyond this? Second, why is this also adding noreferrer? Is there proof that this is part of the exploit this extension aims to address? Doing noreferrer is going to break a lot of sites. Third, this needs a settings panel, at very least for a whitelist for sites on which to not apply the extension. Clicking on the extension's icon should present an option to add the current site or specific page to that whitelist. Same way ad- and popup-blocker work. I use several sites that make use of the effect this extension disables, for legitimate reasons. E.g., one opens a file download page (with ads on it - it's how the shareware site makes enough money to continue operating) in a new tab, closes that tab when the download starts after a "time to look at the ads" timer, and in the interim has reloaded the page in the original tab, with some parameter changes in its URL so it adds a "last downloaded on" date to the page. Sites like this should not get broken by an extension of this sort. This is a good start of a useful extension, and we certainly need a fix for this exploit, but it has some issues to resolve (not just the one I've raised). And there are some questions that need answers. If it's really necessary to add noreferrer, and to add both that parameter and noopener to more than _blank links, then this should be spelled out clearly on the main page of the extension.
- (2020-08-01, v:2) Steve Graham: Feature Request: Site Whitelist
I've got a site I use daily (my email client) and I would love to have a simple whitelist feature. If possible, it would also be awesome to see a console.log of what the site tries to use the noopener for (or maybe the link that causes the issue). I know that is a lot more work, so don't worry about it much; the above issue (whitelist) would be phenomenal! Thanks for your work so far!
- (2018-02-07, v:1) Ryan Freeman: Preserve existing REL value
The extension replaces the existing rel="" value, which causes some functionality problems. The FB notifications link has rel="toggle", but that is removed when the extension is active. If the extension could be coded to preserve the existing REL values (except those that directly conflict with the ones added by the extension) it would be really helpful. Thanks!
- (2016-09-01, v:1) John-Robin Tell: Facebook
The extension breaks facebook. With it activated you won't be able to open your notifications list, friend requests and messages at the top right of the page.