Last active
December 15, 2015 05:29
-
-
Save ZER0/5209412 to your computer and use it in GitHub Desktop.
JEP window.postMessage for Add-ons
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // main.js | |
| PageMod({ | |
| onAttach: function(worker) { | |
| worker.addEventListener("message", function(event){ | |
| if (event.origin === "good.com") // page script | |
| event.source.postMessage(event.data + " addon!", "good.com"); | |
| else if(event.origin === worker.origin) // content script | |
| event.source.postMessage("content script, hello!", worker.origin); | |
| }); | |
| } | |
| }) | |
| A - addon | |
| ---- | |
| B - evil.com | |
| C - good.com | |
| ____ | |
| // good.com - x-request | |
| window.addEventListener("message", function(event) { | |
| // handle only messages from addon:host | |
| if (event.origin === "add-on:host") { | |
| // this sent messages only if `event.source` has "add-on:host" as origin | |
| // event.source will always be "addon:host" because of the `if` | |
| event.source.postMessage(event.data + " addon!", event.origin); | |
| } | |
| }); | |
| // usually this message are not even dispatched, because origin !== document.URL | |
| // but maybe add-on can interfere with this mechanism. | |
| // | |
| // So window.addEventListener("message") won't receive this event, because | |
| // "add-on:host" !== document.URL, only the chrome add-on code will get it. | |
| window.postMessage("page ready", "add-on:host)"; | |
| // evil.com | |
| // can't be done: SOP - Same Origin Policy | |
| // iframe loaded "good.com" | |
| iframe.contentWindow.addEventListener("message", function(event) { | |
| // ... | |
| }); | |
| // Important: a page (good.com or evil.com or whatever) can't initiate message | |
| // pipe with content-script | |
| // evil.com | |
| // this event will be fired but in the listener at `good.com`, `event.origin` | |
| // will be `evil.com`. | |
| // It's important that in `good.com` we verify the sender and destination. | |
| iframe.contentWindow.postMessage("I'm a f*cking add-on", "good.com"); | |
| // evil.com | |
| // Assuming a page-mod like is attached, then evil.com can receive message from | |
| // add-on: | |
| window.addEventListener("message", function(event) { | |
| // got the message from the addon? No, because page-mod like is use explicitly | |
| // "good.com" | |
| // if page-mod doesn't verify `event.origin`, and use "*" as targetOrigin | |
| // in `postMessage`, evil.com can receive the message. But still can't be | |
| // pretend to be something different than `evil.com`. | |
| }); | |
| // Content Script | |
| window.addEventListener("message", function(event) { | |
| if (event.origin === "add-on:host") { | |
| // we received a message from addon:host | |
| } else if (event.origin === document.URL) { | |
| // we received a message page script | |
| } else if (event.origin === self.origin) { | |
| // we received a message from ourself | |
| } else { | |
| // possible evil.com | |
| } | |
| }); | |
| // window.addEventListener("message") won't receive this event, because | |
| // self.origin !== document.URL, the only one can receive it is the | |
| // content script itself (maybe add-on?) | |
| window.postMessage("hello", self.origin); | |
| // window.addEventListener("message") won't receive this event, because | |
| // "add-on:host" !== documentURL and "add-on:host" !== self.origin | |
| window.postMessage("hello add-on", "add-on:host") | |
| // window.addEventListener("message") will receive this event | |
| window.postMessage("hello page", document.URL); | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment