Conversation

Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given… - parent is cross-origin - can’t execute JS on parent - no sessionStorage, localStorage, cookies, or IDB access - with enough security to share auth tokens?

Neil Kandalgaonkar

@NeilKNet

Sep 15, 2020

I think this should do it

stackoverflow.com

How do I postMessage to a sibling iFrame

I'm looking for a way to postMessage to a sibling iFrame without any javascript in the parent page. The difficulty I'm having is trying to get the window object for the other iFrame from the first ...

Andy Matuschak

@andy_matuschak

Sep 15, 2020

Nope, alas: can’t access window.parent.frames cross-origin.

Replying to

and

(to my surprise, Firefox allows this! but Chrome and Safari sensibly don’t)

6:01 PM · Sep 15, 2020TweetDeck

Replying to

Okay, I've seen one more weird trick, but it involves more coordination: triply embedded iframes - origin 1 - origin 2 - origin 1 These sometimes offer possibilities for communicating, but you need help from origin 1

Andy Matuschak

@andy_matuschak

Sep 15, 2020

Won’t be able to ask for help from the parent origin, alas.

Show replies

Replying to

and

window.parent[x] should work the same as window.parent.frames[x] (in general someWin.frames === someWin). And at least per spec should be allowed cross-origin.

Andy Matuschak

@andy_matuschak

Sep 15, 2020

No dice! I’m awfully surprised this is meant to be allowed. Why should it be?

Show replies