PostMessage from a sandboxed iFrame to the main window, origin is always null

Question

There\'s something I don\'t get about the event origin with javascript postMessage event.

Here is my main page:

Test         


        

Answer 1

As pointed out here, there is a perfectly fine way to determine the sender in that scenario, without giving the allow-same-origin permission:

  // Sandboxed iframes which lack the 'allow-same-origin'
  // header have "null" rather than a valid origin. This means you still
  // have to be careful about accepting data via the messaging API you
  // create. Check that source, and validate those inputs!
  var frame = document.getElementById('sandboxed');
  if (e.origin === "null" && e.source === frame.contentWindow)
    alert('Result: ' + e.data);

Note that the origin isn't null, it's "null".