Open pfrazee opened 10 years ago
pfrazee
commented
10 years ago Turns out you can only check the origin of messages if the popup is in another domain. I'm not sure you can detect if a page navigates within the origin, then. However, navigations to another domain are detectable through the message's origin value.
pfrazee
commented
10 years ago Another issue: If one of the pages is refreshed or navigated, how do you resume the connection?
From the popup's perspective, this is trivial: window.opener remains set.
From the opener's perspective, it's trickier but doable: the popup windows can be reaccessed with window.open by re-using the second parameter (name) and leaving the first param (url) blank. Therefore, resumption is a matter of storing the active popup names in session storage, then reading and re-acquiring the popups on page load.
For interactions outside localhost: I'm experimenting with the window.opener.postMessage channel that popups get. This could be used, for instance, for "Actions" - something like "Add Record" or "Share Selected."
The opened page would interact with the parent like this:
Security-wise, the appeal of this is that there's no credential or token management. Popups can have their location checked for each message, so the channel can be tied to a specific page. The popups can live on the public Web, and the host page can apply permissions to their requests based on what the action requires.
For development, this is appealing because the popups have their own document and no restrictions on how they use it.
The downside is that the parent page must stay open for the action to work. That worries me a bit, but we could register a "Are you sure you want to leave?" dialog while an action is pending.