Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are the difference between postMessage() and dispatchEvent() in respect to the origin policy?

Tags:

javascript

postmessage

dispatchevent

I have this code, I have set the MessageEvent 's origin to *, but still the console prompts Blocked a frame with origin "AAAA" from accessing a frame with origin "BBBB". Protocols, domains, and ports must match. Anyone know why?

  var size = {
    width:  document.body.scrollWidth,
    height:  document.body.scrollHeight
  }
  var evt = new MessageEvent("dimensionMessage",{
      "data": size,
      "origin":"*"
  });
  window.parent.dispatchEvent(evt);

However, if I use window.parent.postMessage(size, "*") , it works.

like image 489
Blake Avatar asked Aug 04 '16 04:08

Blake

2 Answers

The error message tells you that a cross-origin iframe cannot in general invoke a method from the parent if it is in a different origin; that includes the dispatchEvent method (otherwise, an iframe could for instance generate mouse events in the parent page).

The postMessage API is an exception to that, designed precisely to allow cross-origin communication in a well-defined manner.

(Setting origin to '*' won't help you here; in general, that property is expected to be set by the browser when a message is sent via postMessage; creating manually a MessageEvent object is mostly only useful when you want to simulate in the receiving page the reception of an external message)

like image 160
dontcallmedom Avatar answered Sep 20 '22 16:09

dontcallmedom

When two documents do not have the same origin, they have very limited access caused by Same-origin policy restrictions.

In your example dispatchEvent() has limited access to a different frame (window.parent).

window.postMessage() allow to perform a cross-window messaging avoiding Same-origin policy restriction.

Parameter targetOrigin for window.postMessage() specifies what the origin of otherWindow must be for the event to be dispatched, either as the literal string "*" (indicating no preference) or as a URI.

Please note that in your production code you should use a specific URI in order to make your code more secure. More information about how to use window.postMessage() securely can be found here https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

like image 33
GibboK Avatar answered Sep 18 '22 16:09

GibboK
Sign in to Comment

Related questions

TinyMCE and Vuejs as a component
Add bookmark this page button - 2016
jQuery fullcalendar - events
is it ok to write Javascript or jQuery code as a PHP file in CodeIgniter views?
Clicking link inside div firing div's onclick
Detect session end between tabs
Map paths for Node modules, for unit testing
Inserting HTML with JS
Use of require(lib) versus <script> in Electron apps
React update state on click
Redux thunk: how to await completion of an async action
Permission checks from components in a React/Redux application
How to open Safari's settings from web page on iOS 9.3+
Changing default folder for components in angular-cli
Loopback and mocha: wait for server to finish boot scripts
achieving angular ng-repeat like feature in javascript
All the toolbar buttons of Froala
GraphQL/Relay Schema Cannot query field "store" on type "CreateLinkPayload"
Declare UInt8Array variable in TypeScript
transition opacity not working when creating element [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!