Open youk opened 10 months ago
Shouldn't this be a feature for security?
Where exactly is the security part? postMessage()
won't work OOTB, it requires explicit configuration on the receiving end.
Isn't the point of Container is isolate the tab from the rest? If the postMessage()
function can send data to other tabs in different containers then the Container is failed in isolating right? It can send data meant it can send cookie as well (get cookie turn to a simple string and send through postMessage()
). All the site can use this trick to pass by Container and tracking user.
If postMessage()
is allowed, Container becomes useless immediately. I disagree that this is a bug.
After storage partitioning there is no way to communicate between tabs. I considering it as critical bug, because there is no way how to allow it by directive or some other way. It's removing feature change.
Does this only happen when the Multi-Account Containers extension is installed? Or does it happen in any Firefox browser profile with containers enabled?
If it's a Firefox bug (not just this extension), please check bugzilla to see if the bug is already captured there. File a new one if it's not there.
Before submitting a bug report
Step to reproduce
window.postMessage()
doesn't seem to work across tabs opened in different containers. A simple sequence likedoesn't deliver the message to the listener in
target.html
.Is this intended behavior?
postMessage()
is supposed to work across different origins by design. It is up to the receiving end whether to handle a message form a particular sender or ignore it.Actual behavior
Messages sent via
postMessage()
to a tab opened in different container aren't received.Expected behavior
postMessage()
works across containers.Additional informations
No response
Provide a copy of Troubleshooting Information page (optional)
No response