global.postMessage issue
rawb opened this issue · 2 comments
Hello,
Using installPostMessageImplementation()
will use global.postMessage to send messages. If, let's say you maintain a browser extension that has access to window
and executes this code, you will send a message that a web page could be listening to. If the web page has code that is listening for messages, but does not clean the message before processing (JSON.parse(message)
), you could break a site unintentionally.
I know as professionals we should clean input before processing or try/catch, etc, but big sites such as icloud.com
fall victim to this issue.
After navigating to the notes section after logging in to icloud.com
the page will error if you execute a setImmediate()
call sometime during loading.
That is indeed somewhat scary. Do you think postMessage should be avoided altogether?
As the readme mentions, window. postMessage
seems like its the best hack available until something native comes along. I wrote this issue without understanding the need for window.postMessage
for this lib and understanding that there is no better alternative. Thanks for reading it though!