I know you can use "noopener" with window.open, which explicitly tells your browser to forbid the child window from accessing the parent window. This should have the affect of using rel="noopener" in a hyperlink.
However, Chrome 88 is soon (2021?) going to make "noopener" the default.
So is there a way to do the opposite, and explicitly set it to "opener"? So that the child window DOES have access to the parent window? I'm hoping to fix my link before it breaks with the newest Chrome.
I assume it'd be the code below? I'm not sure how I'd test this before the next version of Chrome releases. But I also don't want to wait to make this change until after my link breaks with the next release.
window.open(url,'_blank','toolbar=1,menubar=1,location=1,status=1,scrollbars=1,opener')
or
window.open(url,'_blank','toolbar=1,menubar=1,location=1,status=1,scrollbars=1', 'opener')
The HTML specification is clear about this, you can check it here.
I will share the first segment of the window.open steps:
The window open steps, given a string url, a string target, and a string features, are as follows:
If the event loop's termination nesting level is nonzero, return null.
Let source browsing context be the entry global object's browsing context.
If target is the empty string, then set target to "_blank".
Let tokenizedFeatures be the result of tokenizing features.
Let noopener and noreferrer be false.
If tokenizedFeatures["noopener"] exists, then:
Set noopener to the result of parsing tokenizedFeatures["noopener"] as a boolean feature.
Remove tokenizedFeatures["noopener"].
If tokenizedFeatures["noreferrer"] exists, then:
Set noreferrer to the result of parsing tokenizedFeatures["noreferrer"] as a boolean feature.
Remove tokenizedFeatures["noreferrer"].
If noreferrer is true, then set noopener to true.
You can see also in this bug tracker, which is tied to the commit that added that, that the edit is only concerned with anchors. I quote
Anchor target=_blank implies rel=noopener
The reason this edit is only done in anchors is because using window.open to trigger this attack would fall into XSS since it requires injecting JavaScript code.
The security issue this bug is concerned with, is that a user can put bad code in a page that you refer to but don't have access to. You can see it doesn't require Same Origin here. Another possible attack vector is when there is user-generated content on your website but this is unlikely since you are likely to escape the user input for XSS.
Final note, this edit is already available for you to test in Chrome Canary.