跨域传输信息postMessage

widnow.postMessage()方法容许安全的跨域传输。

Syntax

otherWindow.postMessage(message, targetOrigin, [transfer]);

otherWindow

指向另外一个窗口的引用：。

message

传输给另外一个窗口的信息

targetOrigin

一个字符串，指定消息来源（URL形式）。记住老是提供一个特定的URL地址若是你知道的话，不要老是使用“*”（针对全部的URL），由于指定一个特定的URL能够防止恶意的网站来攻击。

The dispatched event

其余的窗口能够经过如下代码来监听被发送的信息：

window.addEventListener("message", receiveMessage, false);

function receiveMessage(event)
{
  var origin = event.origin || event.originalEvent.origin; // For Chrome, the origin property is in the event.originalEvent object.
  if (origin !== "http://example.org:8080")
    return;

  // ...
}

被发送的信息的属性以下：

data

从其余窗口传递的data

origin

当postMessage调用的时候，发送信息窗口的origin。这个字符串是协议和"://"和主机名和后面用":"链接了一个接口名称，若是这个接口名和默认的接口名不同的话。好比http://example.org(默认的接口是443),http://example.net(默认的接口是80)和http://example.com:8080。注意，这个origin并不必定要是当前亦或将来的那个窗口的origin，因此这将有可能当调用postMessage的时候，致使跳转到另外一个彻底不一样的地址。

source

发送信息的window对象。你可使用这个在不一样origin之间在两个窗口之间创建两个通讯。

Security concerns

若是你不想接受到其余网站的信息，不要在message对象上增长任何监听。

使用origin（有可能也会使用source）属性来肯定发送者的身份，若是你不想接受到其余网站的信息的话。

任何的window（包括，例如http://evil.example.com）能够向任何的其余window发送信息，你没有任何的保障来保证未知的发送者不会发送恶意的信息。确保了发送信息者的身份以后，你还须要确验证接收到的内容的语法。不然，发送信任信息的受信网站可能在你的网站上建立一个跨域的脚本漏洞。

不要使用“*”，而是肯定的目标origin，当你使用postMessage来发送信息给其余的windows的时候，防止其余网站在你postMessage的时候拦截发送的信息。

Example

/*
 * In window A's scripts, with A being on <http://example.com:8080>:
 */

var popup = window.open(...popup details...);

// When the popup has fully loaded, if not blocked by a popup blocker:

// This does nothing, assuming the window hasn't changed its location.
popup.postMessage("The user is 'bob' and the password is 'secret'",
                  "https://secure.example.net");

// This will successfully queue a message to be sent to the popup, assuming
// the window hasn't changed its location.
popup.postMessage("hello there!", "http://example.org");

function receiveMessage(event)
{
  // Do we trust the sender of this message?  (might be
  // different from what we originally opened, for example).
  if (event.origin !== "http://example.org")
    return;

  // event.source is popup
  // event.data is "hi there yourself!  the secret response is: rheeeeet!"
}
window.addEventListener("message", receiveMessage, false);
/*
 * In the popup's scripts, running on <http://example.org>:
 */

// Called sometime after postMessage is called
function receiveMessage(event)
{
  // Do we trust the sender of this message?
  if (event.origin !== "http://example.com:8080")
    return;

  // event.source is window.opener
  // event.data is "hello there!"

  // Assuming you've verified the origin of the received message (which
  // you must do in any case), a convenient idiom for replying to a
  // message is to call postMessage on event.source and provide
  // event.origin as the targetOrigin.
  event.source.postMessage("hi there yourself!  the secret response " +
                           "is: rheeeeet!",
                           event.origin);
}

window.addEventListener("message", receiveMessage, false);

 

Notes

任何window能够在任何其余的window上使用这个方法，在任何的时候，无论当前页面在window中的location，来发送信息。

因此，任何的对象监听被使用来接受信息时必须先检查信息发送着的身份，使用origin和可能使用的属性source来判断。

这个必须再三声明：不检查origin和source可能会致使跨站点脚本攻击。

和任何的异步执行的脚本（timeout,用户生成的脚本），调用postMessage来监听什么时候事件处理函数监听postMessage发送的事件对象是不可能的，将会抛出错误。

发送对象的origin属性是不会受到当前在调用窗口的document.domain值的影响。

 

For IDN host names only, the value of the origin property is not consistently Unicode or punycode; for greatest compatibility check for both the IDN and punycode values when using this property if you expect messages from IDN sites. This value will eventually be consistently IDN, but for now you should handle both IDN and punycode forms.

The value of the origin property when the sending window contains a javascript: or data:URL is the origin of the script that loaded the URL.

Using window.postMessage in extensions 

window.postMessage is available to JavaScript running in chrome code (e.g., in extensions and privileged code), but the source property of the dispatched event is always null as a security restriction. (The other properties have their expected values.) The targetOrigin argument for a message sent to a window located at a chrome: URL is currently misinterpreted such that the only value which will result in a message being sent is "*". Since this value is unsafe when the target window can be navigated elsewhere by a malicious site, it is recommended thatpostMessage not be used to communicate with chrome: pages for now; use a different method (such as a query string when the window is opened) to communicate with chrome windows. Lastly, posting a message to a page at a file: URL currently requires that the targetOriginargument be "*". file:// cannot be used as a security restriction; this restriction may be modified in the future.

Browser compatibility

Feature	Chrome	Firefox (Gecko)	Internet Explorer	Opera	Safari (WebKit)
Basic support	1.0	6.0 (6.0)[1] 8.0 (8.0)[2]	8.0[3] 10.0[4]	9.5	4.0
transferargument	?	20.0 (20.0)	Not supported	?	?

 

[1] Prior to Gecko 6.0 (Firefox 6.0 / Thunderbird 6.0 / SeaMonkey 2.3), the message parameter must be a string. Starting in Gecko 6.0 (Firefox 6.0 / Thunderbird 6.0 / SeaMonkey 2.3), themessage parameter is serialized using the structured clone algorithm. This means you can pass a broad variety of data objects safely to the destination window without having to serialize them yourself.

[2] Gecko 8.0 introduced support for sending File and FileList objects between windows. This is only allowed if the recipient's principal is contained within the sender's principal for security reasons.

[3] IE8 and IE9 only support it for <frame> and <iframe>.

[4] IE10 has important limitations: see this article for details.