This looks promising. I'm sorry I'm late to the game with the postMessage API (first time I've seen it). But I have a question about that. How does it compare to, say, Cocoa's NSNotificationCenter style of messaging, in which there is a default message center that handles receiving and dispatching? From my really brief look at it, it seems similar with one caveat: you can have multiple NSNotificationCenters. So observers don't have to observe all messages. But here it looks like every observer will be observing all messages sent. Is that correct?
As you point out here (http://ejohn.org/blog/postmessage-api-changes/) this will lead to a potential security issue in which you might be responding to messages posted by an external source. Maybe another property could be added, which I'll refer to as messagingDomains. This could be set to a string like 'http://example.com or an array of strings. Each string corresponds to a domain. If this property is set the onmessage would only be called if the origin was from the domain(s) specified in messagingDomains. It's a subtle addition to the API, yes. But it would more clearly establish the existence of a security risk here, because it would probably be propagated better in documentation than a warning to conditionally check event.origin.
For reference, here is how onmessage works right now:
observer.onmessage = function(e) {
if (e.origin == 'http://example.com') {
// I trust this domain, do something
}
}
Here is what I think would make sense to clearly establish that security matters here, and as a benefit it would not break backward compatibility:
As you point out here (http://ejohn.org/blog/postmessage-api-changes/) this will lead to a potential security issue in which you might be responding to messages posted by an external source. Maybe another property could be added, which I'll refer to as messagingDomains. This could be set to a string like 'http://example.com or an array of strings. Each string corresponds to a domain. If this property is set the onmessage would only be called if the origin was from the domain(s) specified in messagingDomains. It's a subtle addition to the API, yes. But it would more clearly establish the existence of a security risk here, because it would probably be propagated better in documentation than a warning to conditionally check event.origin.
For reference, here is how onmessage works right now:
observer.onmessage = function(e) {
}Here is what I think would make sense to clearly establish that security matters here, and as a benefit it would not break backward compatibility:
observer.messagingDomains = ['http://one.example.com, 'http://two.example.com];
observer.onmessage = function(e) {