window.postMessage requires a targetOrigin which isn't enforced by all browsers.
This patch changes it to send a custom event which reduces the likelihood of interference and eavesdropping.
BUG: 411423
Details
Details
- Reviewers
ognarb fvogt davidedmundson - Group Reviewers
Plasma - Commits
- R856:1eda6e4387da: Use custom event rather than window.postMessage
- Firefox and Chrome still get proper media controls
- Waterfox works fine now
Diff Detail
Diff Detail
- Repository
- R856 Plasma Browser Integration
- Lint
Automatic diff as part of commit; lint not applicable. - Unit
Automatic diff as part of commit; unit tests not applicable.
Comment Actions
Always provide a specific targetOrigin, not *, if you know where the other window's document should be located. Failing to provide a specific target discloses the data you send to any interested malicious site.
I wonder whether that is relevant to us?
Comment Actions
Further down it says
It is not possible for content or web context scripts to specify a targetOrigin to communicate directly with an extension (either the background script or a content script).
I can probably set it to document.location.href but not sure what that'll gain us?
Comment Actions
What we could also do which I just realized is that we could send a CustomEvent to the window instead of using postMessage
Basically what we did before except without a wrapper div as while the JavaScript contexts are different, events posted to window are visible from the content script.
Comment Actions
That does sound much nicer actually. Looking at the documentation it seems like that's intended as the main way for communication with extensions even.
This comment was removed by bcooksley.