Cross-window communication

Domains: Javascript

The "Same Origin" (same site) policy limits access of windows and frames to each other.

The idea is that if a user has two pages open: one from john-smith.com, and another one is gmail.com, then they wouldn't want a script from john-smith.com to read our mail from gmail.com. So, the purpose of the "Same Origin" policy is to protect users from information theft.

Same Origin

Two URLs are said to have the "same origin" if they have the same protocol, domain and port.

These URLs all share the same origin:

  • http://site.com
  • http://site.com/
  • http://site.com/my/page.html

These ones do not:

  • http://www.site.com (another domain: www. matters)
  • http://site.org (another domain: .org matters)
  • https://site.com (another protocol: https)
  • http://site.com:8080 (another port: 8080)

The "Same Origin" policy states that:

  • if we have a reference to another window, e.g. a popup created by window.open or a window inside <iframe>, and that window comes from the same origin, then we have full access to that window.
  • otherwise, if it comes from another origin, then we can't access the content of that window: variables, document, anything. The only exception is location: we can change it (thus redirecting the user). But we can't not read location (so we can't see where the user is now, no information leak).

Now let's see how some examples. First, about pages that come from the same origin, and thus there are no limitations. And afterwards we'll cover cross-window messaging that allows to work around the "Same Origin" policy.

T here's a small exclusion in the "Same Origin" policy.

If windows share the same second-level domain, for instance john.site.com, peter.site.com and site.com (so that their common second-level domain is site.com), they can be treated as coming from the "same origin".

To make it work, all such pages (including the one from site.com) should run the code:

document.domain = 'site.com';

That's all. Now they can interact without limitations. Again, that's only possible for pages with the same second-level domain.

Accessing an iframe contents

Our first example covers iframes. An <iframe> is a two-faced beast. From one side it's a tag, just like <script> or <img>. From the other side it's a window-in-window.

The embedded window has a separate document and window objects.

We can access them like using the properties:

  • iframe.contentWindow is a reference to the window inside the <iframe>.
  • iframe.contentDocument is a reference to the document inside the <iframe>.

When we access an embedded window, the browser checks if the iframe has the same origin. If that's not so then the access is denied (with exclusions noted above).

For instance, here's an <iframe> from another origin:

<iframe src="https://example.com" id="iframe"></iframe>

<script>
  iframe.onload = function() {
    // we can get the reference to the inner window
    let iframeWindow = iframe.contentWindow;

    try {
      // ...but not to the document inside it
      let doc = iframe.contentDocument;
    } catch(e) {
      alert(e); // Security Error (another origin)
    }

    // also we can't read the URL of the page in it
    try {
      alert(iframe.contentWindow.location);
    } catch(e) {
      alert(e); // Security Error
    }

    // ...but we can change it (and thus load something else into the iframe)!
    iframe.contentWindow.location = '/'; // works

    iframe.onload = null; // clear the handler, to run this code only once
  };
</script>

The code above shows errors for any operations except:

  • Getting the reference to the inner window iframe.contentWindow
  • Changing its location.

iframe.onload vs iframe.contentWindow.onload

he iframe.onload event is actually the same as iframe.contentWindow.onload. It triggers when the embedded window fully loads with all resources.

...But iframe.onload is always available, while iframe.contentWindow.onload needs the same origin.

And now an example with the same origin. We can do anything with the embedded window:

<iframe src="https://github.com/" id="iframe"></iframe>

<script>
  iframe.onload = function() {
    // just do anything
    iframe.contentDocument.body.prepend("Hello, world!");
  };
</script>

Please wait until the iframe loads

When an iframe is created, it immediately has a document. But that document is different from the one that finally loads into it!

Here, look:

<iframe src="/" id="iframe"></iframe>

<script>
  let oldDoc = iframe.contentDocument;
  iframe.onload = function() {
    let newDoc = iframe.contentDocument;
*!*
    // the loaded document is not the same as initial!
    alert(oldDoc == newDoc); // false
*/!*
  };
</script>

That's actually a well-known pitfall for novice developers. We shouldn't work with the document immediately, because that's the wrong document. If we set any event handlers on it, they will be ignored.

...But the onload event triggers when the whole iframe with all resources is loaded. What if we want to act sooner, on DOMContentLoaded of the embedded document?

That's not possible if the iframe comes from another origin. But for the same origin we can try to catch the moment when a new document appears, and then setup necessary handlers, like this:

<iframe src="/" id="iframe"></iframe>

<script>
  let oldDoc = iframe.contentDocument;

  // every 100 ms check if the document is the new one
  let timer = setInterval(() => {
    if (iframe.contentDocument == oldDoc) return;

    // new document, let's set handlers
    iframe.contentDocument.addEventListener('DOMContentLoaded', () => {
      iframe.contentDocument.body.prepend('Hello, world!');
    });

    clearInterval(timer); // cancel setInterval, don't need it any more
  }, 100);
</script>

Let me know in comments if you know a better solution here.

window.frames

An alternative way to get a window object for <iframe> -- is to get it from the named collection window.frames:

  • By number: window.frames[0] -- the window object for the first frame in the document.
  • By name: window.frames.iframeName -- the window object for the frame with name="iframeName".

For instance:

<iframe src="/" style="height:80px" name="win" id="iframe"></iframe>

<script>
  alert(iframe.contentWindow == frames[0]); // true
  alert(iframe.contentWindow == frames.win); // true
</script>

An iframe may have other iframes inside. The corresponding window objects form a hierarchy.

Navigation links are:

  • window.frames -- the collection of "children" windows (for nested frames).
  • window.parent -- the reference to the "parent" (outer) window.
  • window.top -- the reference to the topmost parent window.

For instance:

window.frames[0].parent === window; // true

We can use the top property to check if the current document is open inside a frame or not:

if (window == top) { // current window == window.top?
  alert('The script is in the topmost window, not in a frame');
} else {
  alert('The script runs in a frame!');
}

The sandbox attribute

The sandbox attribute allows for the exclusion of certain actions inside an <iframe> in order to prevent it executing untrusted code. It "sandboxes" the iframe by treating it as coming from another origin and/or applying other limitations.

By default, for <iframe sandbox src="https://github.com/iliakan/javascript-tutorial-en/blob/master/4-frames-and-windows/03-cross-window-communication/..."> the "default set" of restrictions is applied to the iframe. But we can provide a space-separated list of "excluded" limitations as a value of the attribute, like this: <iframe sandbox="allow-forms allow-popups">. The listed limitations are not applied.

In other words, an empty "sandbox" attribute puts the strictest limitations possible, but we can put a space-delimited list of those that we want to lift.

Here's a list of limitations:

allow-same-origin : By default "sandbox" forces the "different origin" policy for the iframe. In other words, it makes the browser to treat the iframe as coming from another origin, even if its src points to the same site. With all implied restrictions for scripts. This option removes that feature.

allow-top-navigation : Allows the iframe to change parent.location.

allow-forms : Allows to submit forms from iframe.

allow-scripts : Allows to run scripts from the iframe.

allow-popups : Allows to window.open popups from the iframe

See the manual for more.

The example below demonstrates a sandboxed iframe with the default set of restrictions: <iframe sandbox src="https://github.com/iliakan/javascript-tutorial-en/blob/master/4-frames-and-windows/03-cross-window-communication/...">. It has some JavaScript and a form.

 The purpose of the "sandbox" attribute is only to add more restrictions. It cannot remove them. In particular, it can't relax same-origin restrictions if the iframe comes from another origin.

Cross-window messaging

The postMessage interface allows windows to talk to each other no matter which origin they are from.

So, it's a way around the "Same Origin" policy. It allows a window from john-smith.com to talk to gmail.com and exchange information, but only if they both agree and call corresponding Javascript functions. That makes it safe for users.

The interface has two parts.

postMessage

The window that wants to send a message calls postMessage method of the receiving window. In other words, if we want to send the message to win, we should call win.postMessage(data, targetOrigin).

Arguments:

data : The data to send. Can be any object, the data is cloned using the "structured cloning algorithm". IE supports only strings, so we should JSON.stringify complex objects to support that browser.

targetOrigin : Specifies the origin for the target window, so that only a window from the given origin will get the message.

The targetOrigin is a safety measure. Remember, if the target window comes from another origin, we can't read it's location. So we can't be sure which site is open in the intended window right now: the user could navigate away.

Specifying targetOrigin ensures that the window only receives the data if it's still at that site. Good when the data is sensitive.

For instance, here win will only receive the message if it has a document from the origin http://example.com:

<iframe src="http://example.com" name="example">

<script>
  let win = window.frames.example;

  win.postMessage("message", "http://example.com");
</script>

If we don't want that check, we can set targetOrigin to *.

<iframe src="http://example.com" name="example">

<script>
  let win = window.frames.example;

*!*
  win.postMessage("message", "*");
*/!*
</script>

onmessage

To receive a message, the target window should have a handler on the message event. It triggers when postMessage is called (and targetOrigin check is successful).

The event object has special properties:

data : The data from postMessage.

origin : The origin of the sender, for instance http://javascript.info.

source : The reference to the sender window. We can immediately postMessage back if we want.

To assign that handler, we should use addEventListener, a short syntax window.onmessage does not work.

Here's an example:

window.addEventListener("message", function(event) {
  if (event.origin != 'http://javascript.info') {
    // something from an unknown domain, let's ignore it
    return;
  }

  alert( "received: " + event.data );
});

There's tota lly no delay between postMessage and the message event. That happens synchronously, even faster than setTimeout(...,0).

Summary

To call methods and access the content of another window, we should first have a reference to it.

For popups we have two properties:

  • window.open -- opens a new window and returns a reference to it,
  • window.opener -- a reference to the opener window from a popup

For iframes, we can access parent/children windows using:

  • window.frames -- a collection of nested window objects,
  • window.parent, window.top are the references to parent and top windows,
  • iframe.contentWindow is the window inside an <iframe> tag.

If windows share the same origin (host, port, protocol), then windows can do whatever they want with each other.

Otherwise, only possible actions are:

  • Change the location of another window (write-only access).
  • Post a message to it.

Exclusions are:

  • Windows that share the same second-level domain: a.site.com and b.site.com. Then setting document.domain='site.com' in both of them puts them into the "same origin" state.
  • If an iframe has a sandbox attribute, it is forcefully put into the "different origin" state, unless the allow-same-origin is specified in the attribute value. That can be used to run untrusted code in iframes from the same site.

The postMessage interface allows two windows to talk with security checks:

  1. The sender calls targetWin.postMessage(data, targetOrigin).

  2. If targetOrigin is not '*', then the browser checks if window targetWin has the URL from targetWin site.

  3. If it is so, then targetWin triggers the message event with special properties:

    • origin -- the origin of the sender window (like http://my.site.com)
    • source -- the reference to the sender window.
    • data -- the data, any object in everywhere except IE that supports only strings.

    We should use addEventListener to set the handler for this event inside the target window.

Similar pages

Closure

Recursion and stack

Objects
Page structure
Concept map
Terms

Objects

Are used to store keyed collections of various data and more complex entities. We can immediately put some properties into {...} as "key: value" pairs. We can use square brackets in an object literal. That's called computed properties. A notable feature is that it's possible to access any property. There will be no error if the property doesn't exist! Accessing a non-existing property just returns undefined.

JavaScript

Was initially created to "make web pages alive".

Set

Is a collection of values, where each value may occur only once. Unlike an array, does not allow to reorder elements.

alert

Shows a message and pauses the script execution until the user presses "OK".

Functions

Are the main "building blocks" of the program. They allow the code to be called many times without repetition. The function keyword goes first, then goes the name of the function, then a list of parameters between the parentheses (empty in the example above) and finally the code of the function, also named "the function body", between curly braces.

Data properties

Besides a value, have three special attributes (so-called "flags").

Naming

There are two limitations for a variable name in JavaScript: 1. The name must contain only letters, digits, symbols $ and _. 2. The first character must not be a digit. Characters $ and _ are normal, on par with letters. Non-Latin alphabets and hieroglyphs are also allowed, but commonly not used.

Try..catch

First, the code in try {...} is executed. If there were no errors, then catch(err) is ignored: the execution reaches the end of try and then jumps over catch. F an error occurs, then try execution is stopped, and the control flows to the beginning of catch(err). The err variable (can use any name for it) contains an error object with details about what's happened.

Comments

Can be put into any place of the script. They don't affect the execution because the engine simply ignores them.

Variables in JS

Is a "named storage" for data. To create a variable in JavaScript, we need to use the let keyword.

Number

The number type serves both for integer and floating point numbers.

"while"

While the condition is true, the code from the loop body is executed. A single execution of the loop body is called an iteration. The loop in the example makes three iterations.

NULL

The special NULL value represents a variable with no value. NULL is the only possible value of type null. The special null value does not belong to any type of those described above.