Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple targetOrigin #707

Open
wei2go opened this issue May 13, 2019 · 5 comments
Open

Multiple targetOrigin #707

wei2go opened this issue May 13, 2019 · 5 comments
Labels
Browser Issue This issue is due to limitations in current browsers and has no simple work around enhancement

Comments

@wei2go
Copy link

wei2go commented May 13, 2019

Is there a way to restricted multiple 'targetOrigin' on an iFramed page, instead of just default it to '*', or restricted to only one domain?
@davidjbradshaw
Copy link
Owner

davidjbradshaw commented May 14, 2019 via email

@FortinFred
Copy link

FortinFred commented Aug 29, 2019
edited
Loading

@davidjbradshaw

I think there's two aspects to consider regarding messages.

Message reception:

function receiveMessage(event)
{
  // Here we might want to trust multiple origins
  if (event.origin !== "http://example.com" && event.origin !== "http://someothertrustedorigin.com")
    return;
}
window.addEventListener("message", receiveMessage, false);

Sending a message back:
In this case, given that you have received at least one message from the parent, you could store the event.origin and use it for sending messages from frame to parent.

IMHO, targetOrigin should be renamed to trustedOrigins. The target would always be the parent that included the frame which is provided in event.origin

function receiveMessage(event)
{
  // Do we trust the event's origin
  if ( ! trustedOrigins.includes(event.origin) )
    return;

  // event.source is window.opener
  // event.data is "hello there!"

  // Assuming you've verified the origin of the received message (which
  // you must do in any case), a convenient idiom for replying to a
  // message is to call postMessage on event.source and provide
  // event.origin as the targetOrigin.
  event.source.postMessage("hi there yourself!  the secret response " +
                           "is: rheeeeet!",
                           event.origin);
}

window.addEventListener("message", receiveMessage, false);

@jackrabbithanna
Copy link

Was it decided that this was possible with this library? A simple use case would be wanting to allow 3 domains, for dev/staging/production domains, but no others.

@paoliniluis paoliniluis mentioned this issue Sep 17, 2021
Closed
@menachemshapiro
Copy link

I'm pretty much looking for exactly this option. Any update to whether it is possible?

@davidjbradshaw davidjbradshaw mentioned this issue Feb 11, 2024
Closed
@davidjbradshaw davidjbradshaw mentioned this issue Feb 15, 2024
Merged
@davidjbradshaw davidjbradshaw mentioned this issue May 19, 2024
Open
26 tasks
@davidjbradshaw
Copy link
Owner

I've been looking at this and the issue is that you end up flooding the console with erroneous error messages. As every rejected postMessage call logs out an uncatchable error message.

@davidjbradshaw davidjbradshaw added Browser Issue This issue is due to limitations in current browsers and has no simple work around and removed v5.1 labels Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Browser Issue This issue is due to limitations in current browsers and has no simple work around enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@davidjbradshaw @jackrabbithanna @menachemshapiro @FortinFred @wei2go