Chapter 5. Cross-domain iframe messaging
This chapter covers
- The role of iframes in cross-domain messaging
- HTML5 window.postMessage API
- window.postMessage alternatives for legacy browsers
- easyXDM—the cross-domain messaging library
In chapter 4 you learned about the same-origin policy—a browser security concept that prohibits pages from different origins from accessing each other’s methods and properties. You also learned a few tricks—subdomain proxies, JSONP, and CORS—that allow you to circumvent the SOP in order to send HTTP requests to your servers.
One of those solutions, subdomain proxies, used iframe elements as a means of communicating with your servers. It relied upon the fact that documents hosted inside iframes can freely communicate with URLs on the same domain. But in order for your third-party JavaScript code to access the iframe and initiate network requests, the target document needed to reside in the same domain space as the publisher’s website—using a subdomain proxy. As you learned, asking publishers to configure dedicated subdomains for your application is a significant burden. But what if there were another way of accessing iframes?