SyntaxFix

[javascript] How do you use window.postMessage across domains?

It seems like the point of window.postMessage is to allow safe communication between windows/frames hosted on different domains, but it doesn't actually seem to allow that in Chrome.

Here's the scenario:

  1. Embed an <iframe> (with a src on domain B*) in a page on domain A
  2. The <iframe> ends up being mostly a <script> tag, at the end of which's execution...
  3. I call window.postMessage( some_data, page_on_A )

The <iframe> is most definitely in the context of domain B, and I've confirmed that the embedded javascript in that <iframe> executes properly and calls postMessage with the correct values.

I get this error message in Chrome:

Unable to post message to A. Recipient has origin B.

Here's the code that registers a message event listener in the page on A:

window.addEventListener(
  "message",
  function (event) {
    // Do something
  },
  false);

I've also tried calling window.postMessage(some_data, '*'), but all that does is suppress the error.

Am I just missing the point here, is window.postMessage(...) not meant for this? Or am I just doing it horribly wrong?

*Mime-type text/html, which it must remain.

This question is related to javascript html google-chrome xss

The answer is

You should post a message from frame to parent, after loaded.

frame script:

$(document).ready(function() {
    window.parent.postMessage("I'm loaded", "*");
});

And listen it in parent:

function listenMessage(msg) {
    alert(msg);
}

if (window.addEventListener) {
    window.addEventListener("message", listenMessage, false);
} else {
    window.attachEvent("onmessage", listenMessage);
}

Use this link for more info: http://en.wikipedia.org/wiki/Web_Messaging

Probably you try to send your data from mydomain.com to www.mydomain.com or reverse, NOTE you missed "www". http://mydomain.com and http://www.mydomain.com are different domains to javascript.

Source: Stackoverflow.com

Examples related to javascript

need to add a class to an element How to make a variable accessible outside a function? Hide Signs that Meteor.js was Used How to create a showdown.js markdown extension Please help me convert this script to a simple image slider Highlight Anchor Links when user manually scrolls? Summing radio input values How to execute an action before close metro app WinJS javascript, for loop defines a dynamic variable name Getting all files in directory with ajax

Examples related to html

Embed ruby within URL : Middleman Blog Please help me convert this script to a simple image slider Generating a list of pages (not posts) without the index file Why there is this "clear" class before footer? Is it possible to change the content HTML5 alert messages? Getting all files in directory with ajax DevTools failed to load SourceMap: Could not load content for chrome-extension How to set width of mat-table column in angular? How to open a link in new tab using angular? ERROR Error: Uncaught (in promise), Cannot match any routes. URL Segment

Examples related to google-chrome

SessionNotCreatedException: Message: session not created: This version of ChromeDriver only supports Chrome version 81 SameSite warning Chrome 77 What's the net::ERR_HTTP2_PROTOCOL_ERROR about? session not created: This version of ChromeDriver only supports Chrome version 74 error with ChromeDriver Chrome using Selenium Jupyter Notebook not saving: '_xsrf' argument missing from post How to fix 'Unchecked runtime.lastError: The message port closed before a response was received' chrome issue? Selenium: WebDriverException:Chrome failed to start: crashed as google-chrome is no longer running so ChromeDriver is assuming that Chrome has crashed WebDriverException: unknown error: DevToolsActivePort file doesn't exist while trying to initiate Chrome Browser How to make audio autoplay on chrome How to handle "Uncaught (in promise) DOMException: play() failed because the user didn't interact with the document first." on Desktop with Chrome 66?

Examples related to xss

WARNING: sanitizing unsafe style value url What is the http-header "X-XSS-Protection"? How to pass parameters to a Script tag? How do you use window.postMessage across domains? Sanitizing user input before adding it to the DOM in Javascript XSS prevention in JSP/Servlet web application How do I prevent people from doing XSS in Spring MVC? How to prevent XSS with HTML/PHP? XSS filtering function in PHP Java Best Practices to Prevent Cross Site Scripting

Tags

Acoustics Transitivity Android-gui Decrement Django-admin Certificate-revocation Form-helpers Messagewindow Composite Nonce Truss Cohesion Linux-distro Heading Visibility Monotorrent Fxcopcmd Internet-explorer-8 Faults Event-bus Multiple-indirection Fmj Yahoo Flowplayer Log-files Twisted.client Vtune Culerity Adhoc-queries Micrium Mutators Lwp Edifact Open-packaging-convention Powerbuilder-conversion Visual-artifacts Resource-dll Denial-of-service Csv-import Genericprincipal Restful-url Httpfilecollection Maven-site-plugin Mysql-connect Satchmo Power-saving Firefox2 Ssas Tasklist Camera-calibration Continue Response Getschematable Eol Negative-number Rdl User-friendly Hamiltonian-cycle Gwt-gin Default-copy-constructor Unsigned-char Zend-layout Sql-subselect Not-exists Nabaztag Session-store Uipopovercontroller Xtable Interface-builder Glassfish-webspace Nhibernate Jcrop Map-directions Has-many-polymorphs Car-analogy Simplify Jquery-templates Toolbars Kohana Ora-12154 Windows-server-2003 Shared-ptr Keyrelease Form-design Data-dump Intellitrace Utorrent Data-formats Iterator-range Freezable Tortoisehg Flexbox Cyclic-reference Ontime Materialized-path-pattern Ora-00936 Bluedragon Digraphs Authz Pyjamas