KutnerUri
commented
2 years ago I added the same logic for originForReceiving. not sure it makes sense, but the tests pass
Closed KutnerUri closed 2 years ago
KutnerUri
commented
2 years ago I added the same logic for originForReceiving. not sure it makes sense, but the tests pass
Aaronius
commented
2 years ago Thanks for the contribution, @KutnerUri! I left a comment to consider on the issue you logged.
I think I'd like to support a childOrigin value of * rather false, as it's more consistent the wildcard pattern provided underneath the hood by postMessage and also cuts down on some code. I've added commits accordingly. I'd appreciate it if you would review my changes and then I'd like to take another look myself with fresh eyes later. I like to be especially careful with any changes dealing with security.
Nice job figuring out the codebase enough to make the changes you did, btw!
KutnerUri
commented
2 years ago thanks, waiting for a new version of penpal! 😃
I think we should document the "*" option in the JSDocs. (Use "*" to skip origin check).
The test is also imperfect - setting the frame src after connectToChild() was a hack to make it fail. I'd rather use a different server url to make the test fail when not using "*" (but it was complicated for me to implement).
Aaronius
commented
2 years ago Yeah, I agree. I'm cooking up those changes now. 🧑🍳
Aaronius
commented
2 years ago Thanks for your contribution, @KutnerUri! Released as 6.2.0.
KutnerUri
commented
2 years ago thanks! 🙏
Allow consumers to skip iframe origin url check in
connectToChild(). This is useful when the iframe redirects, etc.connectToChild()already checks the message origin is the target iframe, so it should be ok.Closes #73