PostMessage from a sandboxed iFrame to the main window, origin is always null

前端 未结 2 745
日久生厌
日久生厌 2021-02-19 21:23

There\'s something I don\'t get about the event origin with javascript postMessage event.

Here is my main page:




Test

2条回答
  •  太阳男子
    2021-02-19 22:01

    As pointed out here, there is a perfectly fine way to determine the sender in that scenario, without giving the allow-same-origin permission:

      // Sandboxed iframes which lack the 'allow-same-origin'
      // header have "null" rather than a valid origin. This means you still
      // have to be careful about accepting data via the messaging API you
      // create. Check that source, and validate those inputs!
      var frame = document.getElementById('sandboxed');
      if (e.origin === "null" && e.source === frame.contentWindow)
        alert('Result: ' + e.data);
    

    Note that the origin isn't null, it's "null".

提交回复
热议问题