Support » Plugin: iThemes Security » Tab napping protection causes external links to be flagged as bad in Chrome

  • Resolved websanity


    It appears that the latest update to Chrome dislikes the tab-napping protection feature and flags all external links opening in a new window as bad popups and blocks them. It must see such links as “abusive” (their words not mine). I confirmed this on 3 separate websites.

    Turn off tab-napping feature and the problem goes away.

    This is very very serious: nobody I spoke to realised the links were blocked as popups, they just thought that they weren’t working: could cause a lot of lost business for some sites. As I say, just turn it off, but maybe this feature should be removed??? (And Google should be called out for what they really are as well if you ask me)

    Keep up the good work, thanks,

Viewing 10 replies - 1 through 10 (of 10 total)
  • Sounds like a Google Chrome issue …

    Anyway, it seems iThemes even got the name wrong. This type of attack is officially named tabnabbing, not tabnapping.

    To prevent any confusion, I’m not iThemes.

    Thread Starter websanity


    Hi nlpro,

    tabnabbing – good to know correct terminology, thanks!

    Yes I think you are right and it is a Chrome issue, but iThemes will probably have to work around that because I doubt Google give a hoot about real world problems – unless they can squeeze money out of it they ain’t interested.

    Phew – I’m not the only one. This only happens since updating to the latest version of Chrome but I agree, the iThemes team needs to work around it or remove the feature.

    We’ve had a lot of missed conversions because users didn’t notice Chrome showing the pop-up blocked message (it’s barely noticeable for many) and so they couldn’t get the the external booking form (conversion point).

    I consider this a serious issue regardless of who is to blame.

    • This reply was modified 3 years, 9 months ago by Michael Ott.

    iThemes simply included an external javascript library (named blankshield) with the tabnabbing feature.

    The library file includes the following header:

    * blankshield - Prevent reverse tabnabbing phishing attacks caused by _blank
    * @version   0.6.0
    * @link
    * @author    Daniel St. Jules <>
    * @license   MIT

    Perhaps the author of the library will be able to fix the issue.
    And then iThemes could include the fixed library file.

    If the issue can’t be resolved by fixing the library file and Google is not going to fix the issue in Chrome then iThemes should definately remove the feature from the plugin.

    Oh, by the way there is an updated version (0.6.3) of the library file available on github … maybe, just maybe … feel free to test it 😉

    Thread Starter websanity


    Well researched nlpro!

    I checked out the changelog for blankshield and 0.6.3 was released 23/8/18. It doesn’t mention anything about fixes and there are two comments from the last few days with people reporting the problem that we are all seeing, so I don’t think the latest version works either.

    I added my own comment and hope the author will be able to fix it or say that it is not fixable. One commentor puts it down possibly to this:

    Doesn’t look hopefully.

    @websanity @timothyblynjacobs
    Don’t worry, looks like there is some movement at iThemes in regards to this issue.

    The lead developer of the iTSec plugin (Timothy Jacobs) just added the comment below:

    We’re pushing a fix to add the noopener rel to links instead of using blankshield for browsers that support the noopener property.

    Sounds to me like the blankshield library is about to be thrown out the window 😉

    Thread Starter websanity


    iThemes: Good people!
    blankshield was our friend but now we’ve broken up it’s time to move on 🙂


    Not so fast … Turns out iThemes had the fix already pushed out on Feb 19th for the iTSec Pro (5.9.0) plugin.

    Just had a look at it and it seems iThemes added some custom javascript. Based on browser, browser version and support for the noopener property either rel=“noopener” is added to all target=“_blank” anchor elements in the page (like in Google Chrome v72) or target=“_blank” anchor links are protected by the blankshield script.

    So it seems the blankshield script is here to stay …

    Additionally below the entry from the Pro 5.9.0 changelog:

    Bug Fix: Tabnapping: Apply noopener to links instead of using blankshield script when available to prevent new pop-up blocker behavior from killing the links.

    • This reply was modified 3 years, 9 months ago by nlpro. Reason: Added changelog entry

    Fixed in 7.3.1, though the blankshield script has not been updated and the WordPress Tweaks feature is still using incorrect terminology (tabnapping) …

    Thread Starter websanity


    Well credit to them for sorting that out.

    Thanks for pointing that out nlpro.

    I’ve tested rolling backwards and updating and confirm that
    7.3.0 has the problem but in 7.3.1 it is fixed.

    I’ll mark this as resolved.

    Bye folks!

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Tab napping protection causes external links to be flagged as bad in Chrome’ is closed to new replies.