I’m trying to understand how a website can make your browser open a new window automatically. I read about this in an article about web security. The author talked about a trick where they got people to visit a fake website. Then somehow the website’s JavaScript could open a new window and go to a different site.
I’m confused about how this works. The website is on a server somewhere else. How can it make your browser do things on your computer? Is there a way for JavaScript to open new windows or tabs without you clicking anything?
Here’s a simple example of what I mean:
function openNewWindow() {
// How would this work?
let newWindow = window.open('https://example.com', '_blank');
// Can this really happen without user interaction?
}
Can someone explain how this kind of thing is possible? I thought browsers stopped websites from doing stuff like this without permission.
in my experiance, modern brwsers block unsolicited popups.
js can open a new window when you click. some sites sneakily bypass this with redirects after a click.
always be careful and check what ya click!
I’ve dealt with this exact issue in my web development work. JavaScript can indeed open new windows, but browser security has gotten much tighter over the years.
Most of the time, window.open() will only work if it’s directly triggered by a user action like a click. This prevents malicious sites from bombarding you with pop-ups.
That said, there are some sneaky workarounds. I’ve seen sites use things like:
- Opening windows on page unload
- Chaining redirects after a legitimate click
- Exploiting browser-specific quirks
As a developer, I always recommend against trying to force unwanted pop-ups. It’s bad for user experience and can get your site flagged as malicious.
If you need to open windows programmatically, it’s best to clearly inform the user and get their explicit consent first. That keeps things above board and respects user choice.
JavaScript’s ability to open new windows has indeed been restricted by modern browsers for security reasons. However, this behavior can still occur under specific circumstances without direct user consent. For instance, user interactions such as a click can trigger a new window, while some scripts use delayed execution with functions like setTimeout to bypass immediate restrictions. In other cases, embedding content within iframes may indirectly lead to window openings. Additionally, rare browser vulnerabilities can sometimes be exploited to allow unsolicited popups. It is advisable to keep your browser updated and exercise caution on unfamiliar websites.