Cross-document messaging

Cross-document messaging: HTML

HTML and HTML5

Dynamic HTML

XHTML

XHTML Mobile Profile and C-HTML

Canvas element

Character encodings

Document Object Model

Font family

HTML editor

HTML element

HTML Frames

HTML5 video

HTML scripting

Web browser engine

Quirks mode

Style sheets

Unicode and HTML

W3C and WHATWG

Web colors

Web Storage

Comparison of

document markup languages

web browsers

layout engines for

HTML

HTML5

HTML5 Canvas

HTML5 Media

Non-standard HTML

XHTML (1.1)

This box: view · talk · edit

Cross-document messaging, or web messaging, is an API introduced in the WHATWG HTML5 draft specification, allowing documents to communicate with one another across different origins, or source domains.^[1] Prior to HTML5, web browsers disallowed cross-site scripting, to protect against security attacks. This practice barred communication between non-hostile pages as well, making document interaction of any kind difficult.^[1]^[2] Cross-Document messaging allows scripts to interact across these boundaries, while providing a rudimentary level of security.

Contents

1 Requirements and Attributes

2 Example

3 Security

4 Support

5 See Also

6 External Links

7 References

Requirements and Attributes

Using the Messaging API's postMessage method, plain text messages can be sent from one domain to another.^[3] This requires that the author first obtain the Window object of the receiving document. As a result, messages can be posted to the following:^[2]

other frames or iframes within the sender document's window

windows the sender document explicitly opens through Javascript calls

the parent window of the sender document

the window which opened the sender document

The message event being received has the following attributes:

data - The data, or actual content, of the incoming message.

origin - The origin of the sender document. This typically includes the scheme, hostname and port. It does not include the path or fragment identifier.^[1]

source - the WindowProxy of where the document came from (the source window).

Example

Consider we want document A to communicate with document B, which is contained within an iframe or popup window.^[1] The Javascript for document A will look as follows:

var o = document.getElementsByTagName('iframe')[0]; o.contentWindow.postMessage('Hello B', 'http://documentB.com/');

The origin of our contentWindow object is passed to postMessage. It must match the origin of the document we wish to communicate with (in this case, document B). Otherwise, a security error will be thrown and the script will stop.^[3] The Javascript for document B will look as follows:

window.addEventListener('message', receiver, false); function receiver(event) { if (event.origin == 'http://documentA.com') { if (event.data == 'Hello B') { event.source.postMessage('Hello A, how are you?', event.origin); } else { alert (event.data); } } }

An event listener is set up to receive messages from document A. Using the origin property, it then checks that the domain of the sender is the expected domain. Document B then looks at the message, either displaying it to the user, or responding in turn with a message of its own for document A.^[1]

Security

Poor origin checking can pose a risk for applications which employ cross-document messaging.^[4] To safeguard against malicious code from foreign domains, authors should check the origin attribute to ensure messages are accepted from domains they expect to receive messages from. The format of incoming data should also be checked that it matches the expected format.^[1]

Support

Support for cross-document messaging exists in current versions of Internet Explorer, Mozilla Firefox, Safari, Google Chrome, Opera, Opera Mini, Opera Mobile, and Android web browser.^[5] Support for the API exists in the Trident, Gecko, WebKit and Presto layout engines.^[6]

See Also

Cross-site scripting

Cross-site request forgery

Same origin policy

External Links

HTML5 Web Messaging specification

Cross-Document Messaging – HTML Draft Standard, WHATWG, http://www.whatwg.org/specs/web-apps/current-work/multipage/comms.html#web-messaging

WebKit DOM Programming Topics - Cross Document Messaging, Apple Developer Library, http://developer.apple.com/library/mac/#documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/Cross-documentmessaging.html

Eng, Chris (2010-05-17), HTML5 Security in a Nutshell, Veracode, http://www.veracode.com/blog/2010/05/html5-security-in-a-nutshell/

When can I use Cross-Document Messaging?, CanIUse, http://caniuse.com/x-doc-messaging

A Selection of Supported Features in HTML5, http://molly.com/html5/html5-0709.html

References

^ ^a ^b ^c ^d ^e ^f Cross-Document Messaging – HTML Draft Standard

^ ^a ^b WebKit DOM Programming Topics - Cross Document Messaging

^ ^a ^b Remy, Sharp, Messages, Workers, and Sockets, Introducing HTML5, New Riders, 2011, p. 197-199

^ HTML5 Security in a Nutshell

^ When can I use Cross-Document Messaging?

^ A Selection of Supported Features in HTML5

Categories:
HTML
Application programming interfaces

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

Cross-site scripting — (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client side script into Web pages viewed by other users. A cross site scripting vulnerability may be used by attackers to… … Wikipedia
Cross-site request forgery — Cross site request forgery, also known as a one click attack or session riding and abbreviated as CSRF (pronounced sea surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that… … Wikipedia
Off-the-Record Messaging — Off the Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations. OTR uses a combination of the AES symmetric key algorithm, the Diffie–Hellman key exchange,… … Wikipedia
Extensible Messaging and Presence Protocol — (XMPP) is an open, XML inspired protocol originally aimed at near real time, extensible instant messaging (IM) and presence information (a.k.a. buddy lists), but now expanded into the broader realm of message oriented middleware. [Citation |… … Wikipedia
HTML5 — Logo des W3C HTML5[1] ist eine textbasierte Auszeichnungssprache zur Strukturierung und semantischen Auszeichnung von Inhalten wie Texten, Bildern und Hyperlinks in Dokumenten. Sie soll die Nachfolge von HTML4 antreten. Die Sprache befindet sich… … Deutsch Wikipedia
Comparison of layout engines (HTML5) — HTML HTML and HTML5 Dynamic HTML XHTML XHTML Mobile Profile and C HTML Canvas element Character encodings Document Object Model Font family HTML editor HTML element HTML Frames HTML5 video HTML scrip … Wikipedia
Opera 10 — displaying Wikipedia on Windows 7. Developer(s) … Wikipedia
Origyn Web Browser — OWB running on AROS showing Wikipedia Developer(s) Sand labs Stable release SVN branch codename PukaPuka ; v.3.22/v.1.9 for AmigaOS 4.X; v.1.1 based on codename Bl … Wikipedia
Internet Explorer 8 — Windows Internet Explorer 8 A component of Microsoft Windows Internet Explorer 8 in Windows 7 … Wikipedia
Computers and Information Systems — ▪ 2009 Introduction Smartphone: The New Computer. The market for the smartphone in reality a handheld computer for Web browsing, e mail, music, and video that was integrated with a cellular telephone continued to grow in 2008. According to… … Universalium

Academic Dictionaries and Encyclopedias

Cross-document messaging

Contents

Requirements and Attributes

Example

Security

Support

See Also

External Links

References

Look at other dictionaries:

Share the article and excerpts

Academic Dictionaries and Encyclopedias

Wikipedia

Cross-document messaging

Contents

Requirements and Attributes

Example

Security

Support

See Also

External Links

References

Look at other dictionaries:

Share the article and excerpts

Direct link