npmpackage.info

Gathering detailed insights and metrics for @hint/hint-disown-opener

@hint/hint-disown-opener - 4.0.23 | npmpackage.info

@hint/hint-disown-opener

💡 A hinting engine for the web

4.0.23

3,652

Apache-2.0

TypeScript

91.14 kB

5,126,715 2.6

Installations

npm install @hint/hint-disown-opener

Developer Guide

BETA

Typescript

Yes

Module System

CommonJS

Node Version

18.19.1

NPM Version

10.5.0 Score

59.9

Supply Chain

84.5

Quality

75.6

Maintenance

Vulnerability

93.7

License

Pull Requests

Open

147

Total

4,090

Closed

1,362

Merged

2,581

Issues

Open

327

Total

1,842

Closed

1,515

Releases

954

Dist files

dist

Updated on Oct 01, 2019

configuration-development-v6.1.1

Updated on Mar 07, 2019

hint-sri-v3.0.5

Updated on Mar 07, 2019

hint-no-vulnerable-javascript-libraries-v2.7.0

Updated on Mar 07, 2019

hint-css-prefix-order-v1.0.2

Updated on Mar 07, 2019

hint-amp-validator-v2.7.0

Updated on Mar 07, 2019

View All 954 releases

Languages

TypeScript

JavaScript

CSS

Handlebars

EJS

HTML

Batchfile

Shell

TypeScript (91.49%)

JavaScript (4.96%)

CSS (2.22%)

Handlebars (0.76%)

EJS (0.5%)

HTML (0.06%)

Batchfile (0.01%)

Shell (0.01%)

Developer

webhintio

Download Statistics

Total Downloads

5,126,715

Last Day

1,813

Last Week

17,583

Last Month

77,520

Last Year

1,087,754

GitHub Statistics

Apache-2.0 License

3,652 Stars

6,372 Commits

743 Forks

74 Watchers

157 Branches

105 Contributors

Updated on Jun 20, 2025

Bundle Size

1.00 MB

Minified

91.14 kB

Minified + Gzipped

Bundlephobia

Maintainers

View All 105 Contributors

Package Meta Information

Latest Version

4.0.23

Package Id

@hint/hint-disown-opener@4.0.23

Unpacked Size

27.38 kB

Size

9.24 kB

File Count

NPM Version

10.5.0

Node Version

18.19.1

Published on

Aug 29, 2024

Total Downloads

Cumulative downloads

Total Downloads

5,126,715

Last Day

2.5%

1,813

Compared to previous day

Last Week

-6.2%

17,583

Compared to previous week

Last Month

-9.4%

77,520

Compared to previous month

Last Year

-11.7%

1,087,754

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

External links disown opener (`disown-opener`)

disown-opener checks if the rel attribute is specified with both the noopener and noreferrer values (or only noopener if all the targeted browsers support it) on a and area elements that have target="_blank" and link to other origins.

Why is this important?

Links that have target="_blank", such as <a href="https://example.com" target="_blank"> constitute:

a security problem

When using target="_blank", the page that was linked to gains access to the original page’s window.opener. This allows it to redirect the original page to whatever it wants, a technique frequently used for malicious attacks on the user. For example, the user could be redirected to a phishing page designed to look like the expected page and then asking for login credentials (see also: tab nabbing).

By adding rel="noopener" (and noreferrer for older browsers) the window.opener reference won’t be set, removing the ability for the page that was linked to from redirecting the original one.
a performance problem

Most modern browsers are multi-process. However, in most browsers, due to the synchronous cross-window access the DOM allows via window.opener, pages launched via target="_blank" end up in the same process as the origin page, and that can lead to the pages experiencing jank.

In Chromium based browsers, using rel="noopener" (or rel="noreferrer" for older versions), and thus, preventing the window.opener reference from being set, allows new pages to be opened in their own process.

Edge is not affected by this.

Notes:

Not all browsers support rel="noopener", so to ensure that things work as expected in as many browsers as possible, by default, the hint requires both the noopener and noreferrer values to be specified. However, if all the targeted browsers support noopener, only noopener will be required.
The reason why the hint does not check the same origin links by default is because:
- Security isn’t really a problem here.
- When it comes to performance, making same origin links open in their own process works against optimizations that some browsers do to keep multiple same origin tabs within the same process (e.g. share the same event loop).
Check Can the hint be configured? section to see how the hint can be made to also check same origin links.
noopener and noreferrer only work for a and area elements.
In the future there may be a CSP valueless property that will prevent the window.opener reference from being set.

What does the hint check?

By default, the hint checks if the rel attribute was specified with both the noopener and noreferrer values on a and area elements that have target="_blank" and link to other origins.

If the targeted browsers are specified, based on their support, the hint might only require the noopener value.

Let’s presume the original page is https://example1.com.

Examples that trigger the hint

1<a href="http://example1.com/example.html" target="_blank">example</a>

1<a href="https://en.example1.com" target="_blank">example</a>

1<a href="//example2.com" target="_blank">example</a>

1<a href="https://example2.com" target="_blank">example</a>

1<img src="example.png" width="10" height="10" usemap="#example">
2<map name="example">
3    <area shape="rect" coords="0,0,5,5" href="http://example3.com/example.html" target="_blank">
4</map>

Examples that pass the hint

1<a href="/" target="_blank">example</a>

1<a href="example.html" target="_blank">example</a>

1<a href="https://example1.com/example.html" target="_blank">example</a>

1<a href="http://example1.com/example.html" target="_blank" rel="noopener noreferrer">example</a>

1<a href="https://en.example1.com/example.html" target="_blank" rel="noopener noreferrer">example</a>

1<a href="//example2.com" target="_blank" rel="noopener noreferrer">example</a>

1<a href="https://example2.com" target="_blank" rel="noopener noreferrer">example</a>

1<img src="example.png" width="10" height="10" usemap="#example">
2<map name="example">
3    <area shape="rect" coords="0,0,5,5" href="example.html" target="_blank">
4</map>

1<img src="example.png" width="10" height="10" usemap="#example">
2<map name="example">
3    <area shape="rect" coords="0,0,5,5" href="http://example3.com/example.html" target="_blank" rel="noopener noreferrer">
4</map>

Can the hint be configured?

includeSameOriginURLs can be used to specify that same origin URLs should also include rel="noopener noreferrer".

In the .hintrc file:

1{
2    "connector": {...},
3    "formatters": [...],
4    "hints": {
5        "disown-opener": ["error", {
6            "includeSameOriginURLs": true
7        }],
8        ...
9    },
10    ...
11}

Also, note that this hint takes into consideration the targeted browsers, and if all of them support the noopener value, the hint won’t require the noreferrer value.

How to use this hint?

This package is installed automatically by webhint:

1npm install hint --save-dev

To use it, activate it via the .hintrc configuration file:

1{
2    "connector": {...},
3    "formatters": [...],
4    "hints": {
5        "disown-opener": "error",
6        ...
7    },
8    "parsers": [...],
9    ...
10}

Note: The recommended way of running webhint is as a devDependency of your project.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

License

Determines if the project has defined a license.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

1

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Security-Policy

Determines if the project has published a security policy.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

0

Signed-Releases

Determines if the project cryptographically signs release artifacts.

0

Fuzzing

Determines if the project uses fuzzing.

0

SAST

Determines if the project uses static code analysis.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

64 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
Warn: Project is vulnerable to: GHSA-r5fx-8r73-v86c
Warn: Project is vulnerable to: GHSA-28hp-fgcr-2r4h
Warn: Project is vulnerable to: GHSA-89mq-4x47-5v83
Warn: Project is vulnerable to: GHSA-5cp4-xmrw-59wf
Warn: Project is vulnerable to: GHSA-mhp6-pxh8-r675
Warn: Project is vulnerable to: GHSA-2qqx-w9hr-q5gx
Warn: Project is vulnerable to: GHSA-2vrf-hf26-jrp5
Warn: Project is vulnerable to: GHSA-4w4v-5hc9-xrr2
Warn: Project is vulnerable to: GHSA-j58c-ww9w-pwp5
Warn: Project is vulnerable to: GHSA-m9gf-397r-hwpg
Warn: Project is vulnerable to: GHSA-mqm9-c95h-x2p6
Warn: Project is vulnerable to: GHSA-prc3-vjfx-vhm9
Warn: Project is vulnerable to: GHSA-qwqh-hm9m-p5hr
Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25
Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
Warn: Project is vulnerable to: GHSA-8gh8-hqwg-xf34
Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
Warn: Project is vulnerable to: GHSA-hhhv-q57g-882q
Warn: Project is vulnerable to: GHSA-rmxg-73gg-4p98
Warn: Project is vulnerable to: GHSA-6c3j-c64m-qhgq
Warn: Project is vulnerable to: GHSA-gxr4-xjj5-5px2
Warn: Project is vulnerable to: GHSA-jpcq-cgw6-v4j6
Warn: Project is vulnerable to: GHSA-8cf7-32gw-wr33
Warn: Project is vulnerable to: GHSA-hjrf-2m68-5959
Warn: Project is vulnerable to: GHSA-qwph-4952-7xr6
Warn: Project is vulnerable to: GHSA-vcjj-xf2r-mwvc
Warn: Project is vulnerable to: GHSA-6vfc-qv3f-vr6c
Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6
Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59
Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
Warn: Project is vulnerable to: GHSA-hwj9-h5mp-3pm3
Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc

Score

2.6

/10

Last Scanned on 2025-06-23

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

@hint/hint-disown-opener

Installations

Developer Guide

Yes

CommonJS

18.19.1

10.5.0

Score

Pull Requests

147

4,090

1,362

2,581

Issues

327

1,842

1,515

Releases

Languages

Developer

Download Statistics

GitHub Statistics

Bundle Size

1.00 MB

91.14 kB

Maintainers

Package Meta Information

Total Downloads

5,126,715

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

Peer Dependencies

Dev Dependencies

External links disown opener (disown-opener)

Why is this important?

What does the hint check?

Examples that trigger the hint

Examples that pass the hint

Can the hint be configured?

How to use this hint?

Further Reading

10

10

10

1

0

0

0

0

0

0

0

0

0

2.6

/10

External links disown opener (`disown-opener`)