In our software, we have a page with a link that opens a page within the same site in a new tab using target='_blank'. When the user is done working on that newly opened page, they click a button and when the page refreshes, it calls the following code.
window.opener.location.href = window.opener.location.href; window.close();
This has worked fine for ages but within the last week or so stopped working in all browsers. I can't seem to find anything when I google it about a new security restriction being implemented that would cause this. Any idea what's going on and how to get it working again? I've tested the following code in chrome, firefox, edge and IE11. In all but IE11 window.opener is null. In IE it is not. Is there possibly a new security setting in browsers that would cause this?
<html>
<body>
click me
</body>
</html>
<html>
<body>
<script>
alert(window.opener === null);
</script>
</body>
</html>
I am not sure which version of chrome browser you tested your code on. To avoid "tab-napping" attacks, many browsers have started implementing noopener behavior by default for anchors that target _blank.
Chrome enabled noopener behavior in release 88.
Safari also enabled this in release 68.
I couldn't find any reference to IE 11 change. But it's worth trying adding rel="opener" in anchor tags with target=_blank
Related
As many resources state, e.g. this SO post: javascript close current window as well as Mozilla's own documentation, it shouldn't be possible to close a window/new tab that wasn't opened by javascript through window.open().
However, I've just experienced that this works perfectly when then new tab has been opened through an anchor tag with the attribute target="_blank" in all the mentioned browsers at the bottom - however, it didn't work in Mozilla Firefox when the rel="noopener" attribute were included (did work without, but as per Mozilla's documentation, don't leave it out for security reasons).
How come this is the case? Is the target="_blank" simply considered a script?
Below you can find 2 sample codes that you can copy/paste into HTML files and try out on your own computer.
First file: open the new tab:
<html>
<body>
Open new tab
</body>
</html>
Second file: the HTML that you open with above snippet - contains a button to close same tab:
<html>
<body>
<button onclick="window.close();">Close me!</button>
</body>
</html>
This has also been tested on a live website and has been tested to work on the following browsers as well:
Internet Explorer, version 11.1397.17763.0 (with "blocked script/activeX content" allowed)
Chrome, version 85.0.4183.83
Edge, version 85.0.564.44
As mentioned above, it didn't work in Mozilla Firefox when rel="noopener" was included.
How come this is the case? Is the target="_blank" simply considered a script?
The MDN already links to the relevant specifications.
https://html.spec.whatwg.org/multipage/window-object.html#dom-window-close says the window can be closed, if it is script-closable, and links to the following definition of that,
A browsing context is script-closable if it is an auxiliary browsing context that was created by a script (as opposed to by an action of the user), or if it is a top-level browsing context whose session history contains only one Document.
(https://html.spec.whatwg.org/multipage/window-object.html#script-closable)
target="_blank" creates a top-level browing context, and as long as you don’t navigate anywhere inside the popup, it also has a one-document history … So it is allowed to be closed by script.
I have implemented Paypal's In-Context Express Checkout on a website (HTML and JQuery, no shopping cart, no CMS or anything), and it works perfectly on Firefox and Chrome for Windows, and Safari, Firefox, Chrome & Opera for Mac, but it doesn't work on IE.
Paypal's "Paypal Checkout" button is missing on IE. Every other browser has a button inserted which is the one that is clicked on to "activate" the checkout flow, but on IE the button is missing and thus the checkout flow is not activated.
The problem is ONLY on Internet Explorer. IE11, using X-UA-Compatible IE=EDGE.
Any help is greatly appreciated.
I don't see your integration but I'm guessing you're calling window.paypalCheckoutReady far later than the script is being inserted into the page and run, which will mean the paypalCheckoutReady event has already fired. To mitigate this and to prevent blocking the page load, the script tag should be at the end of your page before the closing </body> tag, and have the async attribute added to it.
It turns out that by moving the <script> tag with checkout.js from the <head> to the <body> right before the <form> tag, it works on IE.
I am testing my noscript tags which display content when javascript is disabled, this works in Safari, Chrome, Firefox, Camino, IE6, IE7, IE8, IE9, basically everything but Opera (I'm running version 11, not sure if its isolated to that version).
In Opera 11 nothing is displayed... is the noscript tag not supported? and what is the alternative?
Nothing surprising:
<noscript>Please enable JavaScript.</noscript>
Located between the body tags.
<html>
<body>
<script>alert('Hello World');</script>
<noscript>Hello World!</noscript>
</body>
</html>
Are you sure you disabled javascript in Opera:
Menu >> Settings >> Preferences >> Content >> Deselect "Enable Javascript"
If so, then post the contents of your entire file here.
EDIT
Until they fix this bug in version 11 which I reckon will happen shortly you can try this:
<script type="text/javascript">
<!--
document.write("<style type='text/css'>.noScript { display: none; }</style>");
//-->
</script>
<span class="noScript">Please enable javascript in your browser.</span>
You are basically using javascript to show css which hides the no script message, but if javascript is disabled then there is no way that css can be displayed hence the message will show.
Uh, yeah. We (as in Opera) broke <noscript> in Opera 11. Known bug.
Implementation of <noscript> is buggy and inconsistent and not recommended. You'd be better off doing something like:
<span class="noscript">Please enable JavaScript.</span>
You can then use JavaScript to hide anything with a class of "noscript" on page load. People with JavaScript disabled will see the message because it won't be hidden.
Hrm. I had wrapped a meta refresh within a noscript, so that a page could automatically reload if a certain set of elements within it couldn't reload via javascript. I can't see any alternative like the hack involving hiding CSS elements. My original thought was perhaps to set a meta refresh header, but override that to not refresh at all if the javascript could execute, but I can't see any ways for javascript to redefine the page refresh time.
try this
<span class="noscript"></span>
<noscript>Please enable JavaScript.</noscript>
The noscript element isn't recommended. It won't work if scripts are partially blocked (e.g. by a corporate firewall or the NoScript extension, or just a temporary DNS failure).
Build on things that work instead.
This works well for me... (Tested in IE, Opera, and FireFox)
<p id="js_disabled">
<script type="text/javascript">
document.getElementById('js_disabled').style.display = 'none';
</script>
Javascript is disabled or not supported by your browser.<br/>
Javascript must be enabled...
</p>
The JavaScript runs immediately so the noscript message never appears.
The idea is to place the JavaScript code immediately following the noscript's opening tag, in this case the paragraph tags.
I have seen many examples on using javascript to resize a browser window, but for me they all fail to perform that function in IE. I include my code to see if anything is wrong with it that I just don't see. The code works great in FF but that is not used at my location.
I am no javaScript expert, but I am no slouch either. If I were new to javaScript I would be hating it. I'm sure it has something to do with IE but I cannot explain it.
Any help would be great.
CODE:
//window.sizeToContent();
window.resizeTo(700, 700);
I read in the docs that sizeToContent will not work in IE but resize should. It is an incredibly simple statement.
This works for me in Internet explorer 8
<html>
<head>
</head>
<body>
<h1>Resized</h1>
<script>
window.resizeTo(400,400);
</script>
</body>
I did some testing in IE9 beta (that's the only version of IE that I have on this machine), and it seems that window.resizeTo does not work on the initial page load. It does work if you refresh the page. Also, it does work if you delay its execution:
setTimeout(function() {
window.resizeTo(200, 200);
}, 2000);
(at least in IE9 beta)
The "working" example with IE is working only because there are no more tabs on the window.
If the windows has other tabs loaded, then it DOES NOT work. It's a security measure of IE8 and higher.
If you need to resize your window, you will need to open a new window. And for that, you will need to make the user click a button with the window.open onclick event, otherwise any popup blocker will block it.
You won't be able to resize the window reliably with JavaScript. It's not possible in IE 7 with tabbed browsing enabled. It's also potentially annoying for the user.
This seems to be IE only.
If your window is a "dialog" like:
window.showModalDialog(url,...)
I found this hacky way to make it the right size:
<script type="text/javascript">
//window.resizeTo(1000, 790); //Will not work if its a dialog
window.dialogWidth = '1000px';
window.dialogHeight = '790px';
</script>
In IE8, Safari, Chrome and Firefox if I right-click on the link the new tab and new window options are disabled. Right-clicking the link in IE7 still has these two options enabled. Is there any way to disabled these options in IE7 for javascript links?
Sample Code:
<html>
<body>
Javascript link
</body>
</html>
This does not have anything to do with the HTML, but the browser. I am 99.9% sure you can't change it, it's hardcoded in IE7 by Microsoft. Submit a bug to Microsoft, but they'll probably say "We no longer support IE7, nor do we give a crap about your problems." (Maybe not exactly like that :) ).
So, this is not a programming question, it's a software question, hence why you got downvoted (I didn't do it, but that's my assumption).