Hacker News new | ask | show | jobs
by tiplus 3366 days ago
I was puzzled when I first saw cross tab communication in impress.js for their slide control tab (slid.es) and I am still wondering about the proper use case of this feature today. Isn't this a security nightmare?
2 comments
tyingq 3366 days ago
It maps back to window.postMessage. There's a security concerns section on Mozilla's docs: https://developer.mozilla.org/en-US/docs/Web/API/Window/post...

All boils down the sender using a specific target, and the receiver remembering to check the origin.

link
d--b 3366 days ago
Doesn't most Oauth2 things work that way?

http://www.riskcompletefailure.com/2013/03/postmessage-oauth...

link