PostMessage from a sandboxed iFrame to the main window, origin is always null

前端 未结 2 725
日久生厌
日久生厌 2021-02-19 21:23

There\'s something I don\'t get about the event origin with javascript postMessage event.

Here is my main page:




Test

相关标签:
2条回答
  • 2021-02-19 21:58

    Since the iframe is sandboxed it lost access to its origin data.

    adding allow-same-origin to the iframe sandbox property will make it work again.

    0 讨论(0)
  • 2021-02-19 22:01

    As pointed out here, there is a perfectly fine way to determine the sender in that scenario, without giving the allow-same-origin permission:

      // Sandboxed iframes which lack the 'allow-same-origin'
      // header have "null" rather than a valid origin. This means you still
      // have to be careful about accepting data via the messaging API you
      // create. Check that source, and validate those inputs!
      var frame = document.getElementById('sandboxed');
      if (e.origin === "null" && e.source === frame.contentWindow)
        alert('Result: ' + e.data);
    

    Note that the origin isn't null, it's "null".

    0 讨论(0)
提交回复
热议问题