MessageEventTarget mixin
(四)9.4.4 Message ports
(五)9.4.5 Ports and garbage collection
(三)9.5 Broadcasting to other browsing contexts
postMessage() API can be used as a tracking
vector.
iframe element that contains document B,
and script in document A calls postMessage() on the
Window object of document B, then a message event will be fired on that object,
marked as originating from the Window of document A. The script in document A might
look like:
var o= document. getElementsByTagName( 'iframe' )[ 0 ]; o. contentWindow. postMessage( 'Hello world' , 'https://b.example.org/' ); addEventListener() (or similar mechanisms). For example, the script in document B
might look like:
window. addEventListener( 'message' , receiver, false );
function receiver( e) {
if ( e. origin == 'https://example.com' ) {
if ( e. data == 'Hello world' ) { e. source. postMessage( 'Hello' , e. origin);
} else {
alert( e. data);
}
}
} origin attribute to
ensure that messages are only accepted from domains that they expect to receive messages from.
Otherwise, bugs in the author's message handling code could be exploited by hostile sites.
Furthermore, even after checking the origin
attribute, authors should also check that the data in question is of the expected format.
Otherwise, if the source of the event has been attacked using a cross-site scripting flaw, further
unchecked processing of information sent using the postMessage() method could result in the attack being
propagated into the receiver.
Authors should not use the wildcard keyword (*) in the targetOrigin
argument in messages that contain any confidential information, as otherwise there is no way to
guarantee that the message is only delivered to the recipient to which it was intended.
dispatchEvent() or otherwise) to objects in
other origins (those that are not the same).
Implementers are urged to take extra care in the implementation of this feature.
It allows authors to transmit information from one domain to another domain, which is normally
disallowed for security reasons. It also requires that UAs be careful to allow access to certain
properties but not others.
window.postMessage(message [, options ])
Window/postMessage
Support in all current engines.
Firefox3+Safari4+Chrome2+Date objects, etc.),
and can contain certain data objects such as File Blob,
FileList, and ArrayBuffer objects.
Objects listed in the transfer member
of options are transferred, not just cloned, meaning that they are no longer usable
on the sending side.
A target origin can be specified using the targetOrigin member of
options. If not provided, it defaults to "/". This default
restricts the message to same-origin targets only.
If the origin of the target window doesn't match the given target origin, the message is
discarded, to avoid information leakage. To send the message to the target regardless of origin,
set the target origin to "*".
Throws a "DataCloneError" DOMExceptioniftransfer array contains duplicate objects or if message could not be
cloned.
window.postMessage(message, targetOrigin [, transfer ])
This is an alternate version of postMessage() where the target origin is specified
as a parameter. Calling window.postMessage(message, target, transfer) is
equivalent to window.postMessage(message, {targetOrigin,
transfer}).
When posting a message to a Window of a browsing context
that has just been navigated to a new Document is likely to result in the message not
receiving its intended recipient: the scripts in the target browsing context have to
have had time to set up listeners for the messages. Thus, for instance, in situations where a
message is to be sent to the Window of newly created child iframe,
authors are advised to have the child Document post a message to their parent
announcing their readiness to receive messages, and for the parent to wait for this message before
beginning posting messages.
The window post message steps, given a targetWindow, message,
and options, are as follows:
Let targetRealmbetargetWindow's realm.
Let incumbentSettings be the incumbent settings object.
Let targetOriginbeoptions["targetOrigin"].
IftargetOrigin is a single U+002F SOLIDUS character (/), then set
targetOrigintoincumbentSettings's origin.
Otherwise, if targetOrigin is not a single U+002A ASTERISK character (*),
then:
Let parsedURL be the result of running the URL parserontargetOrigin.
IfparsedURL is failure, then throw a "SyntaxError"
DOMException.
Set targetOrigintoparsedURL's origin.
Let transferbeoptions["transfer"].
Let serializeWithTransferResultbeStructuredSerializeWithTransfer(message, transfer). Rethrow
any exceptions.
Queue a global task on the posted message task source given
targetWindow to run the following steps:
If the targetOrigin argument is not a single literal U+002A ASTERISK character
(*) and targetWindow's associated
Document's origin is not
same origin with targetOrigin, then return.
Let origin be the serializationofincumbentSettings's origin.
Let source be the WindowProxy object corresponding to
incumbentSettings's global
object (aWindow object).
Let deserializeRecordbeStructuredDeserializeWithTransfer(serializeWithTransferResult,
targetRealm).
If this throws an exception, catch it, fire an
event named messageerrorattargetWindow, using MessageEvent, with the origin attribute initialized to origin and
the source attribute initialized to
source, and then return.
Let messageClonebedeserializeRecord.[[Deserialized]].
Let newPorts be a new frozen array consisting of all
MessagePort objects in deserializeRecord.[[TransferredValues]], if any,
maintaining their relative order.
Fire an event named messageattargetWindow, using
MessageEvent, with the origin
attribute initialized to origin, the source attribute initialized to source, the
data attribute initialized to
messageClone, and the ports attribute
initialized to newPorts.
The Window interface's postMessage(message,
options) method steps are to run the window post message
steps given this, message, and options.
The Window interface's postMessage(message, targetOrigin,
transfer) method steps are to run the window post message
steps given this, message, and «[ "targetOrigin" →
targetOrigin, "transfer"
→ transfer ]».