HTML5 Web Messaging

•Download as KEY, PDF•

24 likes•23,610 views

Mike Taylor

Don't cross the streams.

Technology

what if the cats want to
communicate with the
ads?

Same Origin Policy

Port
Protocol
Host

*note this is a simpliﬁcation.
see http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy

http://www.reddit.com
http://www.reddit.com/r/fffffffuuuuuuuuuuuu/

http://www.reddit.com/
http://static.reddit.com/

http://www.reddit.com/
http://static.reddit.com/
document.domain = “reddit.com”

http://www.reddit.com:80/
http://www.reddit.com:9001/

http://www.reddit.com
https://www.reddit.com/

Ways we cope

• window.name
• document.domain
• JSONP
• <iframe> hell
• proxies

interface MessageEvent : Event {
readonly attribute any data;
readonly attribute DOMString origin;
readonly attribute DOMString lastEventId;
readonly attribute WindowProxy source;
readonly attribute MessagePortArray ports;
void initMessageEvent(blah,blah,blah x 16);
};

event.source

this is the browsing
context from which
the message was sent

window.postMessage(message, targetOrigin [, ports ])

window.postMessage(‘{rofl: “copter”}’...)

window.postMessage(‘(ˆ–ˆ)/’, ‘http://miketaylr.com’)

window.top

window.addEventListener('DOMContentLoaded', function(){
//var f = frames[0].a;
var child = document.getElementsByTagName(‘iframe’)[0];
child.contentWindow.postMessage('a', '*');
}, false);

window.frames[0]

var a = "yay!";

window.addEventListener('message', function(event){
event.source.postMessage(window[event.data], '*');
}, false);

window.top

window.addEventListener('message', function(event){
alert(event.data);
}, false);

window.frames[0]

var a = "yay!";

window.addEventListener('message', function(event){
if (event.origin == ‘http://omgponies.com’){
event.source.postMessage(window[event.data], '*');
}
}, false);

[Constructor]
interface MessageChannel {
readonly attribute MessagePort port1;
readonly attribute MessagePort port2;
};

http://javascript.g.hatena.ne.jp/edvakf/20100109/1263070731

popup.html
injected
script
options.html

page background
process

background.js
window.opera.extension.addEventListener( 'connect', function( e ){
//Tell the injected script which theme to use
e.source.postMessage( {'theme': widget.preferences.theme} );
}, false );

hilite.js
opera.extension.addEventListener( 'message', function( e ) {
var theme = e.data.theme,
hl = new Hilighter( theme, window, document );
hl.init();
}, false);

postMessage()
injected background
page script
process
connect

EventSource Events
var f = new EventSource(‘/awesome/sauce/’);

f.addEventListener( 'message', function( e ) {
var stuff = e.data
//etc.
}, false);

WebSockets Events
var f = new WebSocket(‘ws://awesome/sauce/’);

f.addEventListener( 'message', function( e ) {
var stuff = e.data
//etc.
}, false);

Say Hi
email: miket@opera.com
tweets: @miketaylr

What's hot

Leave No One Behind with HTML5 - FFWD.PRO, CroatiaRobert Nyman

HTML5, The Open Web, and what it means for you - MDN Hack Day, Sao PauloRobert Nyman

神に近づくx/net/context (Finding God with x/net/context)guregu

HTTP For the Good or the Bad - FSEC EditionXavier Mertens

When dynamic becomes static: the next step in web caching techniquesWim Godden

Beyond PHP - it's not (just) about the codeWim Godden

JavaScript on the DesktopDomenic Denicola

When dynamic becomes static: the next step in web caching techniquesWim Godden

php part 2Shagufta shaheen

My app is secure... I thinkWim Godden

Summer of Fuzz: macOSJeremy Brown

Noah Brier: How to build web appsPlanning-ness

How to Build a Web App (for Non-Programmers)Noah Brier

[Poland] It's only about frontendOWASP EEE

Unsecuring SSHJeremy Brown

If love is_blind_-_tiffanytenka

Intro to Php SecurityDave Ross

HTML5 & The Open Web - at NackademinRobert Nyman

Remove php calls and scale your site like crazy !Wim Godden

String.fromCharCode(60)script>alert("XSS")String.fromCharCode(60)/script>Muhammad Sohail

What's hot (20)

Leave No One Behind with HTML5 - FFWD.PRO, Croatia

HTML5, The Open Web, and what it means for you - MDN Hack Day, Sao Paulo

神に近づくx/net/context (Finding God with x/net/context)

HTTP For the Good or the Bad - FSEC Edition

When dynamic becomes static: the next step in web caching techniques

Beyond PHP - it's not (just) about the code

JavaScript on the Desktop

When dynamic becomes static: the next step in web caching techniques

php part 2

My app is secure... I think

Summer of Fuzz: macOS

Noah Brier: How to build web apps

How to Build a Web App (for Non-Programmers)

[Poland] It's only about frontend

Unsecuring SSH

If love is_blind_-_tiffany

Intro to Php Security

HTML5 & The Open Web - at Nackademin

Remove php calls and scale your site like crazy !

String.fromCharCode(60)script>alert("XSS")String.fromCharCode(60)/script>

Similar to HTML5 Web Messaging

Pushing the Web: Interesting things to Known|u - The Open Security Community

The Open Web and what it meansRobert Nyman

Making our web apps safely hackableRich Manalang

Is HTML5 Ready? (workshop)Remy Sharp

Is html5-ready-workshop-110727181512-phpapp02PL dream

Build powerfull and smart web applications with Symfony2Hugo Hamon

Great Developers StealBen Scofield

Mozilla Web Apps - Super-VanJSRobert Nyman

Mobile Device APIsJames Pearce

JavaScript APIs - The Web is the PlatformRobert Nyman

JavaScript APIs - The Web is the Platform - .toster conference, MoscowRobert Nyman

Bare-knuckle web developmentJohannes Brodwall

The Magic Revealed: Four Real-World Examples of Using the Client Object Model...SPTechCon

HTML5: huh, what is it good for?Remy Sharp

HTML pour le web mobile, Firefox OS - Devfest Nantes - 2014-11-07Frédéric Harper

HTML5 APIs - Where no man has gone before! - AltranRobert Nyman

Asp.net By Durgesh Singhimdurgesh

PhpBB meets Symfony2Fabien Potencier

MoustameraBram Vandewalle

HTML5 APIs - Where No Man Has Gone Before! - GothamJSRobert Nyman

Similar to HTML5 Web Messaging (20)

Pushing the Web: Interesting things to Know

The Open Web and what it means

Making our web apps safely hackable

Is HTML5 Ready? (workshop)

Is html5-ready-workshop-110727181512-phpapp02

Build powerfull and smart web applications with Symfony2

Great Developers Steal

Mozilla Web Apps - Super-VanJS

Mobile Device APIs

JavaScript APIs - The Web is the Platform

JavaScript APIs - The Web is the Platform - .toster conference, Moscow

Bare-knuckle web development

The Magic Revealed: Four Real-World Examples of Using the Client Object Model...

HTML5: huh, what is it good for?

HTML pour le web mobile, Firefox OS - Devfest Nantes - 2014-11-07

HTML5 APIs - Where no man has gone before! - Altran

Asp.net By Durgesh Singh

PhpBB meets Symfony2

Moustamera

HTML5 APIs - Where No Man Has Gone Before! - GothamJS

Recently uploaded

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays

Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya

2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh

MINDCTI Revenue Release Quarter One 2024MIND CTI

Apidays New York 2024 - The value of a flexible API Management solution for O...apidays

FWD Group - Insurer Innovation Award 2024The Digital Insurer

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays

Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays

Why Teams call analytics are critical to your entire businesspanagenda

GenAI Risks & Security Meetup 01052024.pdflior mazor

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo

AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood

Corporate and higher education May webinar.pptxRustici Software

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays

Recently uploaded (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Artificial Intelligence Chap.5 : Uncertainty

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

MINDCTI Revenue Release Quarter One 2024

Apidays New York 2024 - The value of a flexible API Management solution for O...

FWD Group - Insurer Innovation Award 2024

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

Why Teams call analytics are critical to your entire business

GenAI Risks & Security Meetup 01052024.pdf

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

AWS Community Day CPH - Three problems of Terraform

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Corporate and higher education May webinar.pptx

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

HTML5 Web Messaging

1. HTML5 Web Messaging @miketaylr

10.

11. The Problem

12. what if the cats want to communicate with the ads?

13. var f = frames[0].a;

14.

15. Same Origin Policy

16. Same Origin Policy Port Protocol Host *note this is a simpliﬁcation. see http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy

17. http://www.reddit.com http://www.reddit.com/r/fffffffuuuuuuuuuuuu/

18. http://www.reddit.com/ http://static.reddit.com/

19. http://www.reddit.com/ http://static.reddit.com/ document.domain = “reddit.com”

20. http://www.reddit.com:80/ http://www.reddit.com:9001/

21. http://www.reddit.com https://www.reddit.com/

22. Ways we cope • window.name • document.domain • JSONP • <iframe> hell • proxies

23.

24. The Message Event Object

25. interface MessageEvent : Event { readonly attribute any data; readonly attribute DOMString origin; readonly attribute DOMString lastEventId; readonly attribute WindowProxy source; readonly attribute MessagePortArray ports; void initMessageEvent(blah,blah,blah x 16); };

26. event.data

27. event.origin

28. event.source this is the browsing context from which the message was sent

29. event.ports

30. remember this is the problem, right?

31.

32.

33. postMessage()

34. window.postMessage(message, targetOrigin [, ports ])

35. window.postMessage(‘{rofl: “copter”}’...)

36. window.postMessage(message, targetOrigin [, ports ])

37. window.postMessage(‘(ˆ–ˆ)/’, ‘*’)

38. window.postMessage(‘(ˆ–ˆ)/’, ‘/’)

39. window.postMessage(‘(ˆ–ˆ)/’, ‘http://miketaylr.com’)

40. window.top window.addEventListener('DOMContentLoaded', function(){ //var f = frames[0].a; var child = document.getElementsByTagName(‘iframe’)[0]; child.contentWindow.postMessage('a', '*'); }, false);

41. window.frames[0] var a = "yay!"; window.addEventListener('message', function(event){ event.source.postMessage(window[event.data], '*'); }, false);

42. window.top window.addEventListener('message', function(event){ alert(event.data); }, false);

43.

44. window.top window.addEventListener('DOMContentLoaded', function(){ //var f = frames[0].a; var child = document.getElementsByTagName(‘iframe’)[0]; child.contentWindow.postMessage('a', 'http://omgponies.com'); }, false);

45. window.frames[0] var a = "yay!"; window.addEventListener('message', function(event){ if (event.origin == ‘http://omgponies.com’){ event.source.postMessage(window[event.data], '*'); } }, false);

46. http://caniuse.com/#search=postMessage

47.

48. [Constructor] interface MessageChannel { readonly attribute MessagePort port1; readonly attribute MessagePort port2; };

49. var channel = new MessageChannel()

50. channel.port1

51. channel.port2

52. http://javascript.g.hatena.ne.jp/edvakf/20100109/1263070731

53.

54.

55.

56. Using Messaging to Extend the Browser

57.

58.

59.

60.

61. popup.html injected script options.html page background process

62.

63. background.js window.opera.extension.addEventListener( 'connect', function( e ){ //Tell the injected script which theme to use e.source.postMessage( {'theme': widget.preferences.theme} ); }, false ); hilite.js opera.extension.addEventListener( 'message', function( e ) { var theme = e.data.theme, hl = new Hilighter( theme, window, document ); hl.init(); }, false);

64. postMessage() injected background page script process connect

65.

66.

67. EventSource Events var f = new EventSource(‘/awesome/sauce/’); f.addEventListener( 'message', function( e ) { var stuff = e.data //etc. }, false);

68. event.lastEventId

69.

70. WebSockets Events var f = new WebSocket(‘ws://awesome/sauce/’); f.addEventListener( 'message', function( e ) { var stuff = e.data //etc. }, false);

71.

72. Say Hi email: miket@opera.com tweets: @miketaylr

73. Obrigado

HTML5 Web Messaging

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to HTML5 Web Messaging

Similar to HTML5 Web Messaging (20)

Recently uploaded

Recently uploaded (20)

HTML5 Web Messaging

Editor's Notes