有什么理由我不应该为现代浏览器使用 window.postMessage API,post 2016?
Is there any reason why I should NOT use window.postMessage API for modern browsers, post 2016?
我找到的很多关于 window.postMessage 和 iframe 的内容,跨域 iframe 通信似乎过时了。
对于现代浏览器 >= IE9 .. 似乎 vanilla js window.postMessage 就足够了。与使用像 easyXDM 或其他更大的包相比。
http://caniuse.com/#search=postMessage
我错过了什么?
主要是安全问题:
Any window (including, for example, http://evil.example.com) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. Otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site.
接下来,如果您使用 postMessage 发送,您就会面临数据被恶意站点拦截的风险:
A malicious site can change the location of the window without your knowledge, and therefore it can intercept the data sent using postMessage.
此外,传输参数虽然是可选的,但并不是所有浏览器的标准配置:
otherWindow.postMessage(message, targetOrigin, [transfer]);
我找到的很多关于 window.postMessage 和 iframe 的内容,跨域 iframe 通信似乎过时了。
对于现代浏览器 >= IE9 .. 似乎 vanilla js window.postMessage 就足够了。与使用像 easyXDM 或其他更大的包相比。
http://caniuse.com/#search=postMessage
我错过了什么?
主要是安全问题:
Any window (including, for example, http://evil.example.com) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. Otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site.
接下来,如果您使用 postMessage 发送,您就会面临数据被恶意站点拦截的风险:
A malicious site can change the location of the window without your knowledge, and therefore it can intercept the data sent using postMessage.
此外,传输参数虽然是可选的,但并不是所有浏览器的标准配置:
otherWindow.postMessage(message, targetOrigin, [transfer]);