Closed frederikrothenberger closed 1 month ago
@frederikrothenberger
This is allows the signer window to redirect to other domains before signalling ready.
How would the relying party know that the incoming messages are coming from the correct window? Normally when a relying party opens a (popup) window for origin X you start listening for messages from origin X and send messages to origin X.
But if that window redirects from origin X to origin Y, how would the relying party know that it should listen and send messages to origin Y instead of X?
Sending messages without specifying the origin leaks the message to different origins (in case the window has navigated to a different origin) and listening to all messages without checking the origin is insecure since now any incoming window message is interpreted (including iframes).
By changing from the notification to polling, the signer no longer relies on the
window.opener
to be available to signal its readiness.This is allows the signer window to redirect to other domains before signalling ready.