We will be undergoing planned maintenance on January 16th, 2026 at 1:00pm UTC. Please make sure to save your work.

BulkOpen

A privacy-first web tool that opens multiple URLs in browser tabs simultaneously without ever sending your links or data to a server.

Comment

Inspiration

I wanted a fast way to open large lists of links without handing them to someone else. Most bulk openers either force you to install extensions, ship your URLs to a server, or load tracking scripts. BulkOpen is my answer: a simple, privacy‑first tool that runs entirely in the browser.

What it does

BulkOpen parses pasted or imported URL lists, cleans and deduplicates them, and opens them in controlled batches of new tabs. It strips common tracking params, blocks unsafe schemes, enforces per‑host caps and optional HTTPS‑only mode, and surfaces invalid or blocked links so you can retry or export them. Nothing you paste ever leaves your browser.

How I built it

  • Vanilla front-end JavaScript + CSS served from a single origin (no third‑party libs or ad tags).
  • All parsing and file handling use the browser’s own parsers (text/HTML/XML) and safe DOM APIs; binary spreadsheets are rejected.
  • LocalStorage stores saved lists and preferences (user‑controlled, removable with one click).
  • Strict Content Security Policy (connect-src 'none', frame-src/object-src/base-uri/form-action restrictions) and usage of rel=noopener/noreferrer style tab opening to minimize attack surface and referrer leakage.
  • Hosted behind Cloudflare as a protective proxy/CDN, but with page‑level analytics disabled and CSP blocking any external analytics beacons.

Challenges I ran into

  • Popup blockers and inconsistent browser behavior (mobile iOS in particular) - required a clear blocked-queue UX and retry flow.
  • Parsing messy, mixed-format inputs (HTML snippets, markdown, CSV) while keeping imports safe and rejecting potentially dangerous content.
  • Designing a CSP strict enough to prove “no uploads/analytics” without breaking necessary functionality.
  • Balancing power and simplicity: exposing batch/per‑host controls without overwhelming first-time users.

Accomplishments that I'm proud of

  • A working privacy‑by‑default bulk opener that never sends pasted URLs to a server and runs with no tracking.
  • A hardened page (CSP + connect-src 'none') that prevents inadvertent uploads or third‑party scripts from running.
  • Robust import/export and cleaning flows that handle many text formats and scale to large lists while keeping the UI responsive.
  • Thoughtful UX for blocked/invalid URLs, per‑host caps, and Advanced/Simple views so both casual and power users can work efficiently.

What I learned

  • Real-world browser quirks - popup blocking, referrer behavior, and platform limits - matter more than theory when opening many tabs.
  • CSPs are powerful but tricky: a strict policy improves privacy but requires careful feature design to avoid breakage.
  • Relying on native browser parsers and safe DOM APIs simplifies security and keeps the surface area small.
  • Accessibility and incremental updates improve usability when handling large lists.

What's next for BulkOpen

  • Better mobile UX and clearer guidance for platform‑specific limits (iOS/Android).
  • An optional, privacy‑preserving sync (client‑side encryption only) or export/import helpers for moving lists between devices - only as an opt‑in feature that preserves the “never send plain URLs to our servers” promise.
  • Improved parser support for common spreadsheet exports and more localization.
  • Small quality‑of‑life additions: keyboard-driven workflows, sharable list formats, and more presets for common workflows.

Built With

Share this project:

Updates