我可以将 postMessage 中的源窗口与我的 window.frames 进行比较吗?
我想将一些信息从框架冒泡到其父对象(由于 XSS 而无法访问的信息)。
我可以比较通过 postMessagesource 窗口吗code> 到 window.frames 的值?
MDN(在上面的链接中)表示该消息可用于 postMessage 返回,但并未涉及相等性测试。
这在 IE9 FF5 和 Chrome12 上可以正常工作,但我想知道这是否可靠(即是否在标准中)。
测试代码:
postMessageOuter.html
<!DOCTYPE html>
<html>
<head>
<title>Outer Page</title>
<script type="text/javascript">
window.addEventListener("message", function (event) {
for (var i = 0; i < frames.length; ++i)
if (event.source == frames[i])
alert(i);
}, false);
</script>
</head>
<body>
<iframe src="postMessageInner.html"></iframe>
<iframe src="postMessageInner.html"></iframe>
<iframe src="postMessageInner.html"></iframe>
</body>
</html>
postMessageInner.html
<!DOCTYPE html>
<html>
<head>
<title>Inner Page</title>
<script type="text/javascript">
function foo() {
window.parent.postMessage("Hello", "*");
}
</script>
</head>
<body>
<input type="button" value="X" onclick="foo()" />
</body>
</html>
I want to bubble some information from a frame to its parent object (information that isn't accessible due to XSS).
Can I compare the source window sent via postMessage to the values of window.frames?
MDN (in the link above) says that the message can be used to postMessage back but doesn't refer to testing for equality.
This works correctly on IE9 FF5 and Chrome12 but I want to know if this is dependable (i.e. is it in the standard).
Test code:
postMessageOuter.html
<!DOCTYPE html>
<html>
<head>
<title>Outer Page</title>
<script type="text/javascript">
window.addEventListener("message", function (event) {
for (var i = 0; i < frames.length; ++i)
if (event.source == frames[i])
alert(i);
}, false);
</script>
</head>
<body>
<iframe src="postMessageInner.html"></iframe>
<iframe src="postMessageInner.html"></iframe>
<iframe src="postMessageInner.html"></iframe>
</body>
</html>
postMessageInner.html
<!DOCTYPE html>
<html>
<head>
<title>Inner Page</title>
<script type="text/javascript">
function foo() {
window.parent.postMessage("Hello", "*");
}
</script>
</head>
<body>
<input type="button" value="X" onclick="foo()" />
</body>
</html>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
postMessage是HTML5草案的一部分,因此在最新的浏览器中受到支持。规范说
此 WindowProxy 也是 window.frame 枚举的值。
http://www.whatwg.org/specs /web-apps/current-work/multipage/comms.html#crossDocumentMessages
postMessageis part of theHTML5draft and thus supported in the newest browsers.The spec says
this WindowProxy is the value of the window.frame enumeration, too.
http://www.whatwg.org/specs/web-apps/current-work/multipage/comms.html#crossDocumentMessages