Conversation

Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given… - parent is cross-origin - can’t execute JS on parent - no sessionStorage, localStorage, cookies, or IDB access - with enough security to share auth tokens?

Neil Kandalgaonkar

@NeilKNet

Sep 15, 2020

I think this should do it

stackoverflow.com

How do I postMessage to a sibling iFrame

I'm looking for a way to postMessage to a sibling iFrame without any javascript in the parent page. The difficulty I'm having is trying to get the window object for the other iFrame from the first ...

Andy Matuschak

@andy_matuschak

Sep 15, 2020

Nope, alas: can’t access window.parent.frames cross-origin.

Andy Matuschak

@andy_matuschak

Sep 15, 2020

(to my surprise, Firefox allows this! but Chrome and Safari sensibly don’t)

Domenic Denicola

@domenic

Sep 15, 2020

window.parent[x] should work the same as window.parent.frames[x] (in general someWin.frames === someWin). And at least per spec should be allowed cross-origin.

Andy Matuschak

@andy_matuschak

Sep 15, 2020

No dice! I’m awfully surprised this is meant to be allowed. Why should it be?

Domenic Denicola

@domenic

Sep 15, 2020

Hmm. In general you're supposed to be able to access the frame tree; you just get a censored view of the Window object (containing only the properties in html.spec.whatwg.org/multipage/brow, such as postMessage).

Replying to

and

Ah, I see. Yes, I was hoping for postMessage access, but I was unsurprised to meet a brick wall instead. :)

6:34 PM · Sep 15, 2020TweetDeck