Let users explore external content without losing their place
Topics
How do I make my HTML link open in a new tab?
What is target="_blank" in HTML?
Should I use rel="noopener noreferrer"?
How do I open a link in a new tab in HTML?
Learn how to open links in a new tab using
target="_blank"safely. This guide explains therel="noopener noreferrer"security practice, preventing tabnabbing, with practical HTML and JavaScript examples to improve user experience without risking vulnerabilities.
target="_blank". You've seen it, you've used it, but are you using it safely? While opening a link in a new tab is fundamental to a great user experience—letting users explore documents or external sites without losing their place—this simple attribute carries a hidden security risk that many developers overlook.
In this guide, we'll show you not just how to master this technique but how to do it the right way. We'll cover the various methods in HTML, explain the security vulnerabilities you need to patch, and provide practical, copy-paste-ready examples for your projects.
In web development, creating hyperlinks involves using the anchor (<a>) tag. The link address is defined by the href attribute, which specifies the URL of the target web page or resource.
1<a href="https://example.com">Visit Example</a> 2
By default, clicking this link will open the target URL in the same tab, replacing the current web page content. But what if the goal is to open the link in a new tab or window?
The simplest method to open a link in a new tab is by using the target attribute with the value _blank to the anchor tag. When a user clicks this link, the browser opens the linked URL in a new tab or new window, depending on the browser's settings.
1<a href="https://example.com" target="_blank">Open Example in New Tab</a> 2
The target attribute controls where the linked document appears:
1target="_self" // Opens in the same tab (default behavior). 2 3target="_blank" // Opens in a new tab or new window. 4
Using target="_blank" improves navigation for users, especially when linking to external sites or login pages. It prevents users from unintentionally leaving your website.
Also, it is recommended to use the rel attribute in combination with target="_blank" for security reasons, especially to prevent tabnabbing attacks. Tabnabbing occurs when a newly opened tab manipulates the original tab, tricking the user into providing sensitive information, such as login details.
Example of Tabnabbing Attack:
Tabnabbing occurs when an attacker opens a page in a new tab, waits for the user to switch back to the original tab, and then manipulates its content to mimic a login page.
This is why always using rel="noopener noreferrer" is important when using target="_blank".
Check out the expert post here → Google Developers on noopener noreferrer
Example of a secure link with rel:
1<a href="https://example.com" target="_blank" rel="noopener noreferrer">Secure Example Link</a> 2
The noopener keyword prevents the newly opened tab from accessing the window.opener object, which reduces the risk of potential vulnerability. The noreferrer keyword prevents the browser from sending the referring page’s URL.
Great user navigation starts with details like this, but is built on a solid project setup. Spend more time perfecting your user experience.
If you want to force all links on your web page to open in a new tab without manually adding the target="_blank" attribute to every <a> tag, you can use JavaScript.
1<script> 2 document.querySelectorAll('a[href]').forEach(function(link) { 3 link.setAttribute('target', '_blank'); 4 link.setAttribute('rel', 'noopener noreferrer'); 5 }); 6</script> 7
This script selects all links with an href attribute and automatically applies target="_blank" and the secure rel attributes. This approach works well for large web projects where manually modifying each link is inefficient.
Also, you can use the <base> element to set a default target for all links on a web page, including opening all links in a new tab.
If you want to force all links on your web page to open in a new tab without manually adding the target="_blank" attribute to every <a> tag, you can use the <base> element in the <head> of your HTML document:
1<head> 2 <base target="_blank"> 3</head> 4
This tells the browser that, by default, all links should open in a new tab or window unless overridden by a specific target attribute on individual links.
Important Note: While the
<base target="_blank">approach works well to set a global rule, it does not automatically include the securerel="noopener noreferrer"attributes, which are important to prevent security vulnerabilities like tabnabbing.
For enhanced security, it's recommended to pair this method with JavaScript to set the rel attribute:
1<script> 2 document.querySelectorAll('a[href]').forEach(function(link) { 3 link.setAttribute('rel', 'noopener noreferrer'); 4 }); 5</script> 6
<base> vs. JavaScript Method:<base target="_blank"> when you want a simple, global solution for small projects or static sites.rel="noopener noreferrer"), especially for large-scale or dynamic web applications.Sometimes, developers want a link or button to automatically open in a new tab when the page loads or a certain action happens.
Using JavaScript:
1<script> 2 window.onload = function() { 3 window.open('https://example.com', '_blank'); 4 }; 5</script> 6
This method opens a new tab when the page loads, which may not always be user-friendly but can be helpful in specific scenarios, such as redirecting users to documentation after login.
For further insights, consider reading expert posts on this topic→ Tweets from web development thought leaders
Always start your HTML documents with the proper doctype declaration to ensure consistent browser behavior:
1<!DOCTYPE html> 2<html lang="en"> 3<head> 4 <meta charset="UTF-8"> 5 <title>Open Link Example</title> 6</head> 7<body> 8 <!-- Content here --> 9</body> 10</html> 11
The <!DOCTYPE html> tag ensures that your page uses the latest HTML standards, reducing inconsistencies in how links and attributes behave across different browsers.
Opening a website link in a new tab is common, but it introduces potential security vulnerabilities like tabnabbing. An attacker can manipulate the original tab to trick users into entering sensitive data.
To mitigate this, always include:
1rel="noopener noreferrer" 2
This combination ensures that:
1// The linked URL cannot access the window object of the originating page. 2// No referral information is passed to the linked site, which can help maintain privacy. 3
Refer to experts like Google Web Fundamentals for best practices related to using the noopener and noreferrer keywords.
HTML buttons are commonly used to navigate users to other pages. By default, buttons don’t have a target attribute, so JavaScript is necessary.
1<button onclick="window.open('https://example.com', '_blank')">Visit Example</button> 2
This code ensures that when the user clicks the button, the link opens in a new tab rather than the same tab or page.
For accessibility and user experience, it's important to inform users that a link will open in a new tab. This can be done by adding text next to the link or using an icon.
1<a href="https://example.com" target="_blank" rel="noopener noreferrer"> 2 Visit Example (opens in new tab) 3</a> 4
Additionally, for accessibility, the aria-label attribute can help screen readers:
1<a href="https://example.com" target="_blank" rel="noopener noreferrer" aria-label="Opens in a new tab"> 2 Visit Example 3</a> 4
Using rel="noreferrer" does not negatively impact SEO. It simply prevents the browser from sending the referring page URL to the linked site. This is especially useful when linking to untrusted external sites or third-party domains where partial access is preferred.
When developing a React application, you often use JSX to define components. To open a link in a new tab within React:
1<a href="https://example.com" target="_blank" rel="noopener noreferrer">Visit Example</a> 2
Alternatively, using a button:
1<button onClick={() => window.open('https://example.com', '_blank')}>Open Link</button> 2
This method keeps the React application efficient while allowing the link to open in a new window or tab.
When linking to pages requiring login details, it's preferable to open the page in the same tab unless partial access is provided. Opening a login page in a new tab might confuse the user or increase the risk of exposing sensitive data.
Best practice is to clearly inform users and design the flow carefully to avoid unnecessary tab openings for login pages.
Recommended reading:
Implementing proper methods to open links in a new tab helps maintain a smooth user experience and strengthens website security. Whether using simple HTML attributes or dynamic JavaScript methods, understanding the balance between user convenience and security is important.
This guide provided an in-depth explanation of the target and rel attributes, practical examples of using buttons and React components, and security implications regarding tabnabbing. By applying these solutions, web developers can create safer and more user-friendly websites.