Web Messaging
| HTML |
|---|
 |
| HTML and variants |
| HTML elements and attributes |
| Editing |
| Character encodings and language |
| Document and browser models |
| Client-side scripting and APIs |
| Graphics and Web3D technology |
| Comparisons |
Web Messaging, or cross-document messaging, is an API introduced in the WHATWG HTML5 draft specification, allowing documents to communicate with one another across different origins, or source domains[1] while rendered in a web browser. Prior to HTML5, web browsers disallowed cross-site scripting, to protect against security attacks. This practice barred communication between non-hostile pages as well, making document interaction of any kind difficult.[1][2] Cross-document messaging allows scripts to interact across these boundaries, while providing a rudimentary level of security.
Requirements and attributes
Using the Messaging API's postMessage method, plain text messages can be sent from one domain to another, e.g. from a parent document to an IFRAME.[3] This requires that the author first obtain the Window object of the receiving document. As a result, messages can be posted to the following:[2]
- other frames or iframes within the sender document's window
- windows the sender document explicitly opens through JavaScript calls
- the parent window of the sender document
- the window which opened the sender document
The message event being received has the following attributes:
data– The data, or actual content, of the incoming message.origin– The origin of the sender document. This typically includes the scheme, hostname and port. It does not include the path or fragment identifier.[1]source– theWindowProxyof where the document came from (the source window).
postMessage is not a blocking call; messages are processed asynchronously.[4]
Example
Consider we want document A loaded from example.net to communicate with document B loaded from example.com into an iframe or popup window.[1] The JavaScript for document A will look as follows:
var o = document.getElementsByTagName('iframe')[0];
o.contentWindow.postMessage('Hello B', 'http://example.com/');
The origin of our contentWindow object is passed to postMessage. It must match the origin of the document we wish to communicate with (in this case, document B). Otherwise, a security error will be thrown and the script will stop.[3] The JavaScript for document B will look as follows:
function receiver(event) {
if (event.origin == 'http://example.net') {
if (event.data == 'Hello B') {
event.source.postMessage('Hello A, how are you?', event.origin);
}
else {
alert(event.data);
}
}
}
window.addEventListener('message', receiver, false);
An event listener is set up to receive messages from document A. Using the origin property, it then checks that the domain of the sender is the expected domain. Document B then looks at the message, either displaying it to the user, or responding in turn with a message of its own for document A.[1]
Security
Poor origin checking can pose a risk for applications which employ cross-document messaging.[5] To safeguard against malicious code from foreign domains, authors should check the origin attribute to ensure messages are accepted from domains they expect to receive messages from. The format of incoming data should also be checked that it matches the expected format.[1]
Support
Support for cross-document messaging exists in current versions of Internet Explorer, Mozilla Firefox, Safari, Google Chrome, Opera, Opera Mini, Opera Mobile, and Android web browser.[6] Support for the API exists in the Trident, Gecko, WebKit and Presto layout engines.[7]
See also
- Cross-site scripting
- Cross-site request forgery
- Same-origin policy
- Cross-origin resource sharing
- JSONP
References
- ^ a b c d e f Cross-Document Messaging – HTML Draft Standard
- ^ a b "WebKit DOM Programming Topics - Cross Document Messaging". Archived from the original on 2012-06-09. Retrieved 2013-12-29.
- ^ a b Remy, Sharp, Messages, Workers, and Sockets, Introducing HTML5, New Riders, 2011, p. 197-199
- ^ "HTML5 Web Messaging".
- ^ HTML5 Security in a Nutshell
- ^ When can I use Cross-Document Messaging?
- ^ "A Selection of Supported Features in HTML5". Archived from the original on 2011-11-12. Retrieved 2011-04-18.
External links
- HTML5 Web Messaging recommendation
- HTML5 Web Messaging specification Archived 2010-12-24 at the Wayback Machine
- Cross-Document Messaging – HTML Draft Standard, WHATWG
- WebKit DOM Programming Topics - Cross Document Messaging, Apple Developer Library, archived from the original on 2012-06-09, retrieved 2013-12-29
- Eng, Chris (2010-05-17), HTML5 Security in a Nutshell, Veracode
- When can I use Cross-Document Messaging?, CanIUse
- A Selection of Supported Features in HTML5, archived from the original on 2011-11-12, retrieved 2011-04-18
Content Disclaimer
Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.
- The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
- There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
- It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
- Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
- Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.