From the course: Web Security: Same-Origin Policies
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Specify the target domain for a message - JavaScript Tutorial
From the course: Web Security: Same-Origin Policies
Specify the target domain for a message
- [Instructor] Whenever you send a message to another window using the postMessage method, you have to specify an origin. For testing, it can be useful to first get things working using the string asterisk which allows the target window to receive the message no matter what its origin. However, what if the target window has since been redirected to a malicious site? Just having a reference to this window does not guarantee where the content of your message will end up. To ensure that a message is not received by a redirected window, you should be as specific as possible in the second argument to postMessage, indicating the exact origin that should receive the message. So in my DOMContentLoaded event listener, which is for the pages that are opened by the main page, I currently use asterisk as the origin. Now I'm serving my main page from hanselandpetal.herokuapp.com, and my opened page I'm serving from a different origin,…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
-
-
-
(Locked)
Code that communicates across windows1m 18s
-
(Locked)
Implement the postMessage method5m 18s
-
(Locked)
Work with a received message2m 59s
-
(Locked)
Specify the target domain for a message4m 28s
-
(Locked)
Specify the allowed message sender origin2m 56s
-
(Locked)
Use cross-window data in an app4m 4s
-
(Locked)
-
-