
Don't touch my tabs! (rel=noopener) by Jeroen Swen
Prevent tabs opened by a hyperlink from hijacking the previous tab by adding the rel=noopener attribute to all hyperlinks (excluding same-domain hyperlinks).
Extension Metadata
Hi!
Did you know that whenever you click on a hyperlink that opens a page in a new tab, the new page is able to control what page is loaded in the previous tab?
"Why is this bad for me?"
Advertisers are using this trick to harass everyone these days, and worse, hackers can replace the previous tab with a fake login page of the service you're navigating away from when you follow a hyperlink to an evil web page.
"That's not good! What now?"
The World Wide Web Consortium (W3C) decided that something needed to be created to stop this from happening, and the "rel=noopener" attribute was born.
This attribute can be added to any hyperlink to prevent the new window from accessing the previous window object.
"Sweet!"
Well here's the catch: Because they didn't want to 'break the internet' this became an optional attribute that web developers and designers have to add to each single hyperlink in order to protect you. This means that trillions of Hyperlinks that do not give us this protection have to be fixed, manually, and let's be honest, this will not happen.
"Break the internet? But.. my security!"
Well they do have a point in some way, since some web applications make use of this function, it would break those web applications if they would just change the way hyperlinks work.
"So what now?"
I created a simple browser extension to solve this problem for you.
When you add this extension to your browser, all it will do is add the "rel=noopener" attribute to any hyperlink that opens a page in a new tab or window.
"But won't this 'break my internet'?"
Nope! Because when a hyperlink points to a web page hosted on the same domain name as the one you're on, it will NOT add the rel=noopener attribute. Neat huh?
"Does it do anything else?"
No, that's all! :]
I just want to share this with the rest of the internet.
"Can you give me some technical details?"
Sure thing! Basically, this add-on:
1. Searches for any hyperlink that points to a page that is not hosted on the same domain as the viewed page and checks if it has the target="_blank" attribute.
2A. If the found Hyperlink has no rel= attribute, it adds rel=noopener to the hyperlink.
2B. If the found Hyperlink already has a rel= attribute the noopener value is added if it does not exist, leaving all other values intact.
"When I press 'Add to Firefox' it says "Access your data for all websites", that's scary!"
Kudos for being alert!
This add-on needs to make changes to the underlying HTML-code of every web-page you visit to add the "rel=noopener" attribute.
That's all it is, it's not eaves-dropping or anything like that.
I invite you to view the source code of this add-on to put your mind at ease.
"Where can I find the source code?"
I used to host it on GitHub, but wasn't keeping it up-to-date. I therefore disabled the repository until I have a proper one.
However, for now, you can use a neat little trick, just right-click the "Add to Firefox" button and save the file offered to you.
Noticed that it's extension is ".xpi"? Suprise, it's actually a ZIP-file, so just rename it to ".zip" and open it. Poof! Magic!
Did you know that whenever you click on a hyperlink that opens a page in a new tab, the new page is able to control what page is loaded in the previous tab?
"Why is this bad for me?"
Advertisers are using this trick to harass everyone these days, and worse, hackers can replace the previous tab with a fake login page of the service you're navigating away from when you follow a hyperlink to an evil web page.
"That's not good! What now?"
The World Wide Web Consortium (W3C) decided that something needed to be created to stop this from happening, and the "rel=noopener" attribute was born.
This attribute can be added to any hyperlink to prevent the new window from accessing the previous window object.
"Sweet!"
Well here's the catch: Because they didn't want to 'break the internet' this became an optional attribute that web developers and designers have to add to each single hyperlink in order to protect you. This means that trillions of Hyperlinks that do not give us this protection have to be fixed, manually, and let's be honest, this will not happen.
"Break the internet? But.. my security!"
Well they do have a point in some way, since some web applications make use of this function, it would break those web applications if they would just change the way hyperlinks work.
"So what now?"
I created a simple browser extension to solve this problem for you.
When you add this extension to your browser, all it will do is add the "rel=noopener" attribute to any hyperlink that opens a page in a new tab or window.
"But won't this 'break my internet'?"
Nope! Because when a hyperlink points to a web page hosted on the same domain name as the one you're on, it will NOT add the rel=noopener attribute. Neat huh?
"Does it do anything else?"
No, that's all! :]
I just want to share this with the rest of the internet.
"Can you give me some technical details?"
Sure thing! Basically, this add-on:
1. Searches for any hyperlink that points to a page that is not hosted on the same domain as the viewed page and checks if it has the target="_blank" attribute.
2A. If the found Hyperlink has no rel= attribute, it adds rel=noopener to the hyperlink.
2B. If the found Hyperlink already has a rel= attribute the noopener value is added if it does not exist, leaving all other values intact.
"When I press 'Add to Firefox' it says "Access your data for all websites", that's scary!"
Kudos for being alert!
This add-on needs to make changes to the underlying HTML-code of every web-page you visit to add the "rel=noopener" attribute.
That's all it is, it's not eaves-dropping or anything like that.
I invite you to view the source code of this add-on to put your mind at ease.
"Where can I find the source code?"
I used to host it on GitHub, but wasn't keeping it up-to-date. I therefore disabled the repository until I have a proper one.
However, for now, you can use a neat little trick, just right-click the "Add to Firefox" button and save the file offered to you.
Noticed that it's extension is ".xpi"? Suprise, it's actually a ZIP-file, so just rename it to ".zip" and open it. Poof! Magic!
Report this add-on for abuse
If you think this add-on violates Mozilla's add-on policies or has security or privacy issues, please report these issues to Mozilla using this form.
Please don't use this form to report bugs or request add-on features; this report will be sent to Mozilla and not to the add-on developer.
The developer of this extension asks that you help support its continued development by making a small contribution.
- Version
- 2.2.0
- Size
- 10.72 KB
- Last updated
- a year ago (Mar 22, 2020)
- License
- MIT/X11 License
- Version History
'Don't touch my tabs!' now also protects you on pages that are loaded within frames!
Technical details:
In 'manifest.json', "all_frames=true" was added to 'content_scripts'.
Also see: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_scripts
Technical details:
In 'manifest.json', "all_frames=true" was added to 'content_scripts'.
Also see: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_scripts
- There are no ratings yet
- There are no ratings yet
- There are no ratings yet
- There are no ratings yet
- There are no ratings yet
- There are no ratings yet