Open scottanderson42 opened 8 months ago
Thanks for logging this. I don't think supporting this securely is very straightforward since Penpal is limited by the underlying postMessage
browser API. When using postMessage
, the target origin needs to be specified as *
or a specific origin.
In the scenario you're describing, the parent would need to know the child's specific subdomain in order to securely connect to the child. I'll keep thinking about this. I'm open to ideas.
Would there be any interest in implementing this by using the referrer URL and doing some manual parsing?
I actually have an implementation on the workers branch that supports a regex or string for both parentOrigin
(when connecting from child to parent) and childOrigin
(when connecting from parent to a child). That branch also includes support for workers (instead of just iframes) and transferables. It's not quite ready to release though. I think the main thing remaining is getting the types straightened out, particularly for the transferables support.
If you want to try it out, give it spin! I can also publish a pre-release version to npm if that would help.
In #73, the ability to allow any child origin was added via
'*'
. We'd like to do the same thing, but with the restriction of only allowing subdomains of the original child origin as a safer alternative. We can sometimes redirect to a subdomain for certain customer configurations.Proposed change: if the configured
childOrigin
domain begins with.
, treat subdomains as equivalent.