Opening windows from the renderer

There are several ways to control how windows are created from trusted or untrusted content within a renderer. Windows can be created from the renderer in two ways:

  • clicking on links or submitting forms adorned with target=_blank
  • JavaScript calling window.open()

For same-origin content, the new window is created within the same process, enabling the parent to access the child window directly. This can be very useful for app sub-windows that act as preference panels, or similar, as the parent can render to the sub-window directly, as if it were a div in the parent. This is the same behavior as in the browser.

When nativeWindowOpen is set to false, window.open instead results in the creation of a BrowserWindowProxy, a light wrapper around BrowserWindow.

Electron pairs this native Chrome Window with a BrowserWindow under the hood. You can take advantage of all the customization available when creating a BrowserWindow in the main process by using webContents.setWindowOpenHandler() for renderer-created windows.

BrowserWindow constructor options are set by, in increasing precedence order: parsed options from the features string from window.open(), security-related webPreferences inherited from the parent, and options given by webContents.setWindowOpenHandler. Note that webContents.setWindowOpenHandler has final say and full privilege because it is invoked in the main process.

window.open(url[, frameName][, features])

  • url String
  • frameName String (optional)
  • features String (optional)

Returns BrowserWindowProxy | Window

features is a comma-separated key-value list, following the standard format of the browser. Electron will parse BrowserWindowConstructorOptions out of this list where possible, for convenience. For full control and better ergonomics, consider using webContents.setWindowOpenHandler to customize the BrowserWindow creation.

A subset of WebPreferences can be set directly, unnested, from the features string: zoomFactor, nodeIntegration, preload, javascript, contextIsolation, and webviewTag.

For example:

  1. window.open('https://github.com', '_blank', 'top=500,left=200,frame=false,nodeIntegration=no')

Notes:

  • Node integration will always be disabled in the opened window if it is disabled on the parent window.
  • Context isolation will always be enabled in the opened window if it is enabled on the parent window.
  • JavaScript will always be disabled in the opened window if it is disabled on the parent window.
  • Non-standard features (that are not handled by Chromium or Electron) given in features will be passed to any registered webContents‘s did-create-window event handler in the options argument.
  • frameName follows the specification of windowName located in the native documentation.

To customize or cancel the creation of the window, you can optionally set an override handler with webContents.setWindowOpenHandler() from the main process. Returning { action: 'deny' } cancels the window. Returning { action: 'allow', overrideBrowserWindowOptions: { ... } } will allow opening the window and setting the BrowserWindowConstructorOptions to be used when creating the window. Note that this is more powerful than passing options through the feature string, as the renderer has more limited privileges in deciding security preferences than the main process.

Native Window example

  1. // main.js
  2. const mainWindow = new BrowserWindow()
  3. // In this example, only windows with the `about:blank` url will be created.
  4. // All other urls will be blocked.
  5. mainWindow.webContents.setWindowOpenHandler(({ url }) => {
  6. if (url === 'about:blank') {
  7. return {
  8. action: 'allow',
  9. overrideBrowserWindowOptions: {
  10. frame: false,
  11. fullscreenable: false,
  12. backgroundColor: 'black',
  13. webPreferences: {
  14. preload: 'my-child-window-preload-script.js'
  15. }
  16. }
  17. }
  18. }
  19. return { action: 'deny' }
  20. })
  1. // renderer process (mainWindow)
  2. const childWindow = window.open('', 'modal')
  3. childWindow.document.write('<h1>Hello</h1>')

BrowserWindowProxy example

  1. // main.js
  2. const mainWindow = new BrowserWindow({
  3. webPreferences: { nativeWindowOpen: false }
  4. })
  5. mainWindow.webContents.setWindowOpenHandler(({ url }) => {
  6. if (url.startsWith('https://github.com/')) {
  7. return { action: 'allow' }
  8. }
  9. return { action: 'deny' }
  10. })
  11. mainWindow.webContents.on('did-create-window', (childWindow) => {
  12. // For example...
  13. childWindow.webContents.on('will-navigate', (e) => {
  14. e.preventDefault()
  15. })
  16. })
  1. // renderer.js
  2. const windowProxy = window.open('https://github.com/', null, 'minimizable=false')
  3. windowProxy.postMessage('hi', '*')