Skip to content

Instantly share code, notes, and snippets.

@ZER0
Last active December 15, 2015 05:29
Show Gist options
  • Save ZER0/5209412 to your computer and use it in GitHub Desktop.
Save ZER0/5209412 to your computer and use it in GitHub Desktop.
JEP window.postMessage for Add-ons
// main.js
PageMod({
onAttach: function(worker) {
worker.addEventListener("message", function(event){
if (event.origin === "good.com") // page script
event.source.postMessage(event.data + " addon!", "good.com");
else if(event.origin === worker.origin) // content script
event.source.postMessage("content script, hello!", worker.origin);
});
}
})
A - addon
----
B - evil.com
C - good.com
____
// good.com - x-request
window.addEventListener("message", function(event) {
// handle only messages from addon:host
if (event.origin === "add-on:host") {
// this sent messages only if `event.source` has "add-on:host" as origin
// event.source will always be "addon:host" because of the `if`
event.source.postMessage(event.data + " addon!", event.origin);
}
});
// usually this message are not even dispatched, because origin !== document.URL
// but maybe add-on can interfere with this mechanism.
//
// So window.addEventListener("message") won't receive this event, because
// "add-on:host" !== document.URL, only the chrome add-on code will get it.
window.postMessage("page ready", "add-on:host)";
// evil.com
// can't be done: SOP - Same Origin Policy
// iframe loaded "good.com"
iframe.contentWindow.addEventListener("message", function(event) {
// ...
});
// Important: a page (good.com or evil.com or whatever) can't initiate message
// pipe with content-script
// evil.com
// this event will be fired but in the listener at `good.com`, `event.origin`
// will be `evil.com`.
// It's important that in `good.com` we verify the sender and destination.
iframe.contentWindow.postMessage("I'm a f*cking add-on", "good.com");
// evil.com
// Assuming a page-mod like is attached, then evil.com can receive message from
// add-on:
window.addEventListener("message", function(event) {
// got the message from the addon? No, because page-mod like is use explicitly
// "good.com"
// if page-mod doesn't verify `event.origin`, and use "*" as targetOrigin
// in `postMessage`, evil.com can receive the message. But still can't be
// pretend to be something different than `evil.com`.
});
// Content Script
window.addEventListener("message", function(event) {
if (event.origin === "add-on:host") {
// we received a message from addon:host
} else if (event.origin === document.URL) {
// we received a message page script
} else if (event.origin === self.origin) {
// we received a message from ourself
} else {
// possible evil.com
}
});
// window.addEventListener("message") won't receive this event, because
// self.origin !== document.URL, the only one can receive it is the
// content script itself (maybe add-on?)
window.postMessage("hello", self.origin);
// window.addEventListener("message") won't receive this event, because
// "add-on:host" !== documentURL and "add-on:host" !== self.origin
window.postMessage("hello add-on", "add-on:host")
// window.addEventListener("message") will receive this event
window.postMessage("hello page", document.URL);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment