How to get Firefox 79's new security feature on ESR and Chromium

If you follow This Week in Linux you’ll know Firefox 79 is now adding the rel=“noopener” attribute to all links using target=“_blank”. I believe they’re the first browser to do this.

Example: <a href="example.com" target="_blank" rel="noopener">link</a>

Because of how Web standards work, without rel=“noopener” example.com can implant Javascript into any browser tab containing any Website in which a user clicked that example target=“_blank” link unless rel=“noopener” is present. An issue if example.com is evil or if they’re compromised.

You can confirm if your browser is vulnerable here: About rel=noopener

Fix for Firefox ESR and Firefox < 79:

  1. Enter about:config into the address bar and press Enter.
  2. Click “I accept the risk!”
  3. Search for “dom.targetBlankNoOpener.enabled”
  4. Double click on the line which turns the value to true.

Fix for Chromium:

  1. Do your own research finding a browser extension that adds noopener, the best one I could find is this one with 244 users: https://chrome.google.com/webstore/detail/no-opener-no-phishers/hieejlcohhkjbpiihgphcnaaiehphike

When in doubt:

  1. Right-click the link and choose “Copy Link Location” or “Copy link address”
  2. Open a new tab, paste to the Address Bar and press Enter.
1 Like