window.postMessage requires a targetOrigin which isn't enforced by all browsers.
This patch changes it to send a custom event which reduces the likelihood of interference and eavesdropping.
BUG: 411423
ognarb | |
fvogt | |
davidedmundson |
Plasma |
window.postMessage requires a targetOrigin which isn't enforced by all browsers.
This patch changes it to send a custom event which reduces the likelihood of interference and eavesdropping.
BUG: 411423
Automatic diff as part of commit; lint not applicable. |
Automatic diff as part of commit; unit tests not applicable. |
Always provide a specific targetOrigin, not *, if you know where the other window's document should be located. Failing to provide a specific target discloses the data you send to any interested malicious site.
I wonder whether that is relevant to us?
Further down it says
It is not possible for content or web context scripts to specify a targetOrigin to communicate directly with an extension (either the background script or a content script).
I can probably set it to document.location.href but not sure what that'll gain us?
What we could also do which I just realized is that we could send a CustomEvent to the window instead of using postMessage
Basically what we did before except without a wrapper div as while the JavaScript contexts are different, events posted to window are visible from the content script.
That does sound much nicer actually. Looking at the documentation it seems like that's intended as the main way for communication with extensions even.