Web Messaging, or cross-document messaging, is an

API An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build ...

introduced in the

WHATWG The Web Hypertext Application Technology Working Group (WHATWG) is a community of people interested in evolving HTML and related technologies. The WHATWG was founded by individuals from Apple Inc., the Mozilla Foundation and Opera Software, ...

HTML5 HTML5 (Hypertext Markup Language 5) is a markup language used for structuring and presenting hypertext documents on the World Wide Web. It was the fifth and final major HTML version that is now a retired World Wide Web Consortium (W3C) recommend ...

draft specification, allowing documents to communicate with one another across different origins, or source domains while rendered in a

web browser A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...

. Prior to HTML5, web browsers disallowed

cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be ...

, to protect against security attacks. This practice barred communication between non-hostile pages as well, making document interaction of any kind difficult. Cross-document messaging allows scripts to interact across these boundaries, while providing a rudimentary level of security.

Requirements and attributes

Using the Messaging API's postMessage method, plain text messages can be sent from one domain to another, e.g. from a parent document to an IFRAME. This requires that the author first obtain the Window object of the receiving document. As a result, messages can be posted to the following: * other frames or iframes within the sender document's window * windows the sender document explicitly opens through JavaScript calls * the parent window of the sender document * the window which opened the sender document The message event being received has the following attributes: * data – The data, or actual content, of the incoming message. * origin – The origin of the sender document. This typically includes the scheme, hostname and port. It does not include the path or fragment identifier. * source – the WindowProxy of where the document came from (the source window). postMessage is not a blocking call; messages are processed asynchronously.

Example

Consider we want document A loaded from example.net to communicate with document B loaded from example.com into an iframe or popup window. The

JavaScript JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior. Web browsers have ...

for document A will look as follows: var o = document.getElementsByTagName('iframe') o.contentWindow.postMessage('Hello B', 'http://example.com/'); The origin of our contentWindow object is passed to postMessage. It must match the origin of the document we wish to communicate with (in this case, document B). Otherwise, a security error will be thrown and the script will stop. The JavaScript for document B will look as follows: function receiver(event) window.addEventListener('message', receiver, false); An event listener is set up to receive messages from document A. Using the origin property, it then checks that the domain of the sender is the expected domain. Document B then looks at the message, either displaying it to the user, or responding in turn with a message of its own for document A.

Security

Poor origin checking can pose a risk for applications which employ cross-document messaging. To safeguard against malicious code from foreign domains, authors should check the origin attribute to ensure messages are accepted from domains they expect to receive messages from. The format of incoming data should also be checked that it matches the expected format.

Support

Support for cross-document messaging exists in current versions of

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated as IE or MSIE) is a deprecation, retired series of graphical user interface, graphical web browsers developed by Microsoft that were u ...

Mozilla Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curren ...

Safari A safari (; originally ) is an overland journey to observe wildlife, wild animals, especially in East Africa. The so-called big five game, "Big Five" game animals of Africa – lion, African leopard, leopard, rhinoceros, African elephant, elep ...

Google Chrome Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, an ...

Opera Opera is a form of History of theatre#European theatre, Western theatre in which music is a fundamental component and dramatic roles are taken by Singing, singers. Such a "work" (the literal translation of the Italian word "opera") is typically ...

Opera Mini Opera Mini is a mobile web browser made by Opera. It was primarily designed for the Java ME platform, as a low-end sibling for Opera Mobile, but only the Android and Mocor OS builds was still under active development. It had previously been d ...

Opera Mobile Opera Mobile is a mobile web browser for smartphones, tablets and PDAs developed by Opera. History The first devices to run a mobile edition of Opera were the Psion Series 5, Psion Series 5mx, Psion Series 7, and then Psion netBook. They ...

, and Android web browser. Support for the API exists in the

Trident A trident (), () is a three- pronged spear. It is used for spear fishing and historically as a polearm. As compared to an ordinary spear, the three tines increase the chance that a fish will be struck and decrease the chance that a fish will b ...

Gecko Geckos are small, mostly carnivorous lizards that have a wide distribution, found on every continent except Antarctica. Belonging to the infraorder Gekkota, geckos are found in warm climates. They range from . Geckos are unique among lizards ...

WebKit WebKit is a browser engine primarily used in Apple's Safari web browser, as well as all web browsers on iOS and iPadOS. WebKit is also used by the PlayStation consoles starting with the PS3, the Tizen mobile operating systems, the Amazon K ...

and

Presto Presto may refer to: Computing * Presto (browser engine), an engine previously used in the Opera web browser * Presto (operating system), a Linux-based OS by Xandros * Presto (SQL query engine), a distributed query engine * Presto (animation so ...

layout engines.

References

External links