API.md states an iframe should look for a frame with a name '__uspapiLocator' but this is not possible due to CORS
Closed this issue · 5 comments
The documentation states in API.md:
To locate an ancestor frame capable of responding to postMessage() API calls search for an ancestor frame that has a child frame named '__uspapiLocator'.
However, a cross site frame may not do this, and a non cross site frame can simply call the __uspapi function.
Per https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Cross-origin_script_API_access , a cross-domain frame does have read-only access to window.frames and window.parent, which is why this technique for locating the correct frame ancestor is used.
Yes yes, it has access to window.frames and window.parent BUT
window.name is not accessible and that is what is needed.
@alextcone
Please reopen this issue and don't close it again without a working code example as proof that this is not an issue.
@KevinBrogan, it's basically the same logic detailed in as https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20CMP%20API%20v2.md#is-there-a-sample-iframe-script-call-to-the-cmp-api which doesn't require using window.name (since you can lookup window.frames using the key of window name), however, you are correct that the code example at https://github.com/InteractiveAdvertisingBureau/CCPA-reference-code/blob/master/iframe.html#L14 should include this ancestor-search -- I'll submit a PR for this.
It's often helpful, if you have broken code, to post that in your bug report / issue, rather than demanding that others post examples of working code.
Thank you for the "like" code example.
I was not aware that windows could be looked up by their name, by using a named index off of their parent window.