Package com.vaadin.flow.component.trigger.internal

Class OpenInNewTabAction

java.lang.Object
com.vaadin.flow.component.trigger.internal.Action
com.vaadin.flow.component.trigger.internal.OpenInNewTabAction
All Implemented Interfaces:
Serializable
public class OpenInNewTabAction extends Action
Opens a URL in a new browser tab or window via window.open(url, "_blank", features) when the bound trigger fires.

Most browsers block window.open calls that don't happen inside a transient user activation. Bind this action to a Trigger that fires during such a gesture — typically a ClickTrigger — so the call inherits the gesture and the popup is allowed.

Two axes of configuration:

  • URL — either a known String or an Action.Input of String resolved on the client at fire time (e.g. the current value of an input field, or a blob: URL the client just minted).
  • Features — the third argument to window.open, controlling popup characteristics such as opener access (the standard "noopener" / "noreferrer" tokens) and window sizing ("width=600,height=400"). When not supplied, defaults to "noopener,noreferrer", which severs window.opener on the new page and strips the Referer header — the safe default for opening untrusted URLs. Callers that supply their own features are responsible for including those tokens themselves if they want the same protection.

The target is always "_blank" — opening into the current tab is not the point of this action, and reusing a named window has different popup blocker semantics that this primitive does not try to model. If you need to navigate the current tab, use Page.setLocation; if you need named windows, call window.open via executeJs directly.

javascript: URLs are rejected: static-String URLs throw IllegalArgumentException from the constructor, and Action.Input URLs resolved on the client are silently dropped at fire time (the generated JS short-circuits window.open). This prevents an attacker-controlled value flowing through a PropertyInput from executing arbitrary script in the opener's origin. The check mirrors the URL parser's leading-whitespace handling (C0 controls and ASCII space are stripped before the scheme) so a leading tab/newline can't smuggle one through.

No outcome callback: the browser does not reliably report whether the popup was blocked (the spec lets window.open return null, but not every blocker path does so), and never reports when the new tab is closed. 


 // Open a known URL in a new tab.
 new ClickTrigger(button)
         .triggers(new OpenInNewTabAction("https://vaadin.com/docs"));

 // Open whatever URL the user typed into a field.
 Action.Input<String> urlInput = new PropertyInput<>(urlField, "value",
         String.class);
 new ClickTrigger(button).triggers(new OpenInNewTabAction(urlInput));

 // Open a sized popup window with custom features. Note that supplying
 // features replaces the noopener/noreferrer defaults — include them
 // explicitly if you want the same protection.
 new ClickTrigger(button).triggers(new OpenInNewTabAction("/help",
         "noopener,noreferrer,width=600,height=400"));
For internal use only. May be renamed or removed in a future release.
See Also:

  • Constructor Details

    • OpenInNewTabAction

      public OpenInNewTabAction(String url)
      Opens url in a new tab with the default features ("noopener,noreferrer").
      Parameters:
      url - the URL to open, not null and not a javascript: URL
      Throws:
      IllegalArgumentException - if url starts with javascript: (after stripping leading whitespace/control characters)

    • OpenInNewTabAction

      public OpenInNewTabAction(String url, String features)
      Opens url in a new tab with the given features. The features string is passed verbatim as the third argument to window.open; supplying it replaces — does not extend — the default features, so include "noopener,noreferrer" explicitly if you want the same protection.
      Parameters:
      url - the URL to open, not null and not a javascript: URL
      features - the features string for window.open, not null
      Throws:
      IllegalArgumentException - if url starts with javascript: (after stripping leading whitespace/control characters)

    • OpenInNewTabAction

      public OpenInNewTabAction(Action.Input<String> url)
      Opens a URL resolved on the client at fire time, with the default features ("noopener,noreferrer"). javascript: URLs produced by the input are blocked on the client.
      Parameters:
      url - input supplying the URL when the trigger fires, not null

    • OpenInNewTabAction

      public OpenInNewTabAction(Action.Input<String> url, Action.Input<String> features)
      Opens a URL resolved on the client at fire time, with features also resolved on the client. javascript: URLs produced by the input are blocked on the client.
      Parameters:
      url - input supplying the URL when the trigger fires, not null
      features - input supplying the features string when the trigger fires, not null

  • Method Details

    • toJs

      protected JsFunction toJs(Trigger trigger)
      Description copied from class: Action
      Builds the JsFunction that runs this action when the surrounding trigger fires. The returned function takes one runtime argument named event (declared by the framework when it composes the trigger handler); subclasses do not declare argument names themselves.

      The body is one statement. To embed a value produced on the client, capture an Action.Input's JsFunction as a capture and invoke it inside the body as $N(event).

      Specified by:
      toJs in class Action
      Parameters:
      trigger - the surrounding trigger this render is for, not null
      Returns:
      the action's JS function, not null