HTML 5 postMessage() API allows cross-domain messaging

Posted on May 11, 2008 by Chris Weber

Finally an answer for mashups and cross-domain widget developers.  Also, a lovely attack surface for the security crowd.

Now domain-x can communicate with domain-y legally.  John Resig’s has a nice writeup about this feature in Firefox 3.x http://ejohn.org/blog/cross-window-messaging/.

The HTML 5 spec spells out the details with vivid warnings for User Agent developers.

This functionality has been provided for a while now from smack-ups like the XssInterface project and Google Gears allowCrossOrigin() function.

This entry was posted in browser, cross site scripting and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>