diff --git a/README.md b/README.md
index 0e83031..36ca973 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,9 @@ import { connectToChild } from 'penpal';
const iframe = document.createElement('iframe');
iframe.src = 'http://example.com/iframe.html';
+
+// This conditional is not Penpal-specific. It's merely
+// an example of how you can add an iframe to the document.
if (
document.readyState === 'complete' ||
document.readyState === 'interactive'
@@ -58,10 +61,11 @@ if (
});
}
+// This is where the magic begins.
const connection = connectToChild({
- // The iframe to which a connection should be made
+ // The iframe to which a connection should be made.
iframe,
- // Methods the parent is exposing to the child
+ // Methods the parent is exposing to the child.
methods: {
add(num1, num2) {
return num1 + num2;
@@ -81,13 +85,14 @@ connection.promise.then((child) => {
import { connectToParent } from 'penpal';
const connection = connectToParent({
- // Methods child is exposing to parent
+ // Methods child is exposing to parent.
methods: {
multiply(num1, num2) {
return num1 * num2;
},
divide(num1, num2) {
- // Return a promise if the value being returned requires asynchronous processing.
+ // Return a promise if the value being
+ // returned requires asynchronous processing.
return new Promise((resolve) => {
setTimeout(() => {
resolve(num1 / num2);
@@ -106,47 +111,79 @@ connection.promise.then((parent) => {
### `connectToChild(options: Object) => Object`
-**For Penpal to operate correctly, you must ensure that `connectToChild` is called before the iframe has called `connectToParent`.** As shown in the example above, it is safe to set the `src` or `srcdoc` property of the iframe and append the iframe to the document before calling `connectToChild` as long as they are both done in the same [JavaScript event loop](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop). Alternatively, you can always append the iframe to the document _after_ calling `connectToChild` instead of _before_.
+**For Penpal to operate correctly, you must ensure that `connectToChild` is called before the iframe calls `connectToParent`.** As shown in the example above, it is safe to set the `src` or `srcdoc` property of the iframe and append the iframe to the document before calling `connectToChild` as long as they are both done in the same [JavaScript event loop](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop). Alternatively, you can always append the iframe to the document _after_ calling `connectToChild` instead of _before_.
#### Options
-`options.iframe: HTMLIFrameElement` (required) The iframe element to which Penpal should connect. Unless you provide the `childOrigin` option, you will need to have set either the `src` or `srcdoc` property on the iframe prior to calling `connectToChild` so that Penpal can automatically derive the child origin. In addition to regular URLs, [data URIs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) and [file URIs](https://en.wikipedia.org/wiki/File_URI_scheme) are also supported.
+`options.iframe: HTMLIFrameElement` (required)
+
+The iframe element to which Penpal should connect. Unless you provide the `childOrigin` option, you will need to have set either the `src` or `srcdoc` property on the iframe prior to calling `connectToChild` so that Penpal can automatically derive the child origin. In addition to regular URLs, [data URIs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) and [file URIs](https://en.wikipedia.org/wiki/File_URI_scheme) are also supported.
+
+`options.methods: Object` (optional)
+
+An object containing methods which should be exposed for the child iframe to call. The keys of the object are the method names and the values are the functions. Nested objects with function values are recursively included. If a function requires asynchronous processing to determine its return value, make the function immediately return a promise and resolve the promise once the value has been determined.
+
+`options.childOrigin: string` (optional)
+
+In the vast majority of cases, Penpal can automatically determine the child origin based on the `src` or `srcdoc` property that you have set on the iframe. This will automatically restrict communication to that origin.
-`options.methods: Object` (optional) An object containing methods which should be exposed for the child iframe to call. The keys of the object are the method names and the values are the functions. Nested objects with function values are recursively included. If a function requires asynchronous processing to determine its return value, make the function immediately return a promise and resolve the promise once the value has been determined.
+In some rare cases, particularly when using the `file://` protocol on various devices, browsers are inconsistent in how they report and handle origins. If you receive an error saying that the parent received a handshake from an unexpected origin, you may need to manually pass the child origin using this option.
-`options.childOrigin: string` (optional) In the vast majority of cases, Penpal can automatically determine the child origin based on the `src` or `srcdoc` property that you have set on the iframe. Unfortunately, browsers are inconsistent in certain cases, particularly when using the `file://` protocol on various devices. If you receive an error saying that the parent received a handshake from an unexpected origin, you may need to manually pass the child origin using this option.
+In other [niche scenarios](https://github.com/Aaronius/penpal/issues/73), you may want the parent to be able to communicate with any child origin. In this case, you can set `childOrigin` to `*`. **This is discouraged.** To illustrate the risk, if a nefarious attacker manages to create a link within the child page that another user can click (for example, if you fail to inadequately escape HTML in a message board comment), and that link navigates the unsuspecting user's iframe to a nefarious URL, then the page at the nefarious URL could start communicating with your parent window.
-`options.timeout: number` (optional) The amount of time, in milliseconds, Penpal should wait for the child to respond before rejecting the connection promise. There is no timeout by default.
+Regardless of how you configure `childOrigin`, communication will always be restricted to only the iframe to which you are connecting.
-`options.debug: boolean` (optional) Enables or disables debug logging. Debug logging is disabled by default.
+`options.timeout: number` (optional)
+
+The amount of time, in milliseconds, Penpal should wait for the child to respond before rejecting the connection promise. There is no timeout by default.
+
+`options.debug: boolean` (optional)
+
+Enables or disables debug logging. Debug logging is disabled by default.
#### Return value
The return value of `connectToChild` is a `connection` object with the following properties:
-`connection.promise: Promise` A promise which will be resolved once communication has been established. The promise will be resolved with an object containing the methods which the child has exposed. Note that these aren't actual memory references to the methods the child exposed, but instead proxy methods Penpal has created with the same names and signatures. When one of these methods is called, Penpal will immediately return a promise and then go to work sending a message to the child, calling the actual method within the child with the arguments you have passed, and then sending the return value back to the parent. The promise you received will then be resolved with the return value.
+`connection.promise: Promise`
+
+A promise which will be resolved once communication has been established. The promise will be resolved with an object containing the methods which the child has exposed. Note that these aren't actual memory references to the methods the child exposed, but instead proxy methods Penpal has created with the same names and signatures. When one of these methods is called, Penpal will immediately return a promise and then go to work sending a message to the child, calling the actual method within the child with the arguments you have passed, and then sending the return value back to the parent. The promise you received will then be resolved with the return value.
+
+`connection.destroy: Function`
-`connection.destroy: Function` A method that, when called, will disconnect any messaging channels. You may call this even before a connection has been established.
+A method that, when called, will disconnect any messaging channels. You may call this even before a connection has been established.
### `connectToParent([options: Object]) => Object`
#### Options
-`options.parentOrigin: string | RegExp` (optional) The origin of the parent window which your iframe will be communicating with. If this is not provided, communication will not be restricted to any particular parent origin resulting in any webpage being able to load your webpage into an iframe and communicate with it.
+`options.parentOrigin: string | RegExp` (optional **but highly recommended!**)
-`options.methods: Object` (optional) An object containing methods which should be exposed for the parent window to call. The keys of the object are the method names and the values are the functions. Nested objects with function values are recursively included. If a function requires asynchronous processing to determine its return value, make the function immediately return a promise and resolve the promise once the value has been determined.
+The origin of the parent window which your iframe will be communicating with. If this is not provided, communication will not be restricted to any particular parent origin resulting in any webpage being able to load your webpage into an iframe and communicate with it.
-`options.timeout: number` (optional) The amount of time, in milliseconds, Penpal should wait for the parent to respond before rejecting the connection promise. There is no timeout by default.
+`options.methods: Object` (optional)
-`options.debug: boolean` (optional) Enables or disables debug logging. Debug logging is disabled by default.
+An object containing methods which should be exposed for the parent window to call. The keys of the object are the method names and the values are the functions. Nested objects with function values are recursively included. If a function requires asynchronous processing to determine its return value, make the function immediately return a promise and resolve the promise once the value has been determined.
+
+`options.timeout: number` (optional)
+
+The amount of time, in milliseconds, Penpal should wait for the parent to respond before rejecting the connection promise. There is no timeout by default.
+
+`options.debug: boolean` (optional)
+
+Enables or disables debug logging. Debug logging is disabled by default.
#### Return value
-The return value of `connectToParent` is a `connection` object with the following property:
+The return value of `connectToParent` is a `connection` object with the following properties:
+
+`connection.promise: Promise`
+
+A promise which will be resolved once communication has been established. The promise will be resolved with an object containing the methods which the parent has exposed. Note that these aren't actual memory references to the methods the parent exposed, but instead proxy methods Penpal has created with the same names and signatures. When one of these methods is called, Penpal will immediately return a promise and then go to work sending a message to the parent, calling the actual method within the parent with the arguments you have passed, and then sending the return value back to the child. The promise you received will then be resolved with the return value.
-`connection.promise: Promise` A promise which will be resolved once communication has been established. The promise will be resolved with an object containing the methods which the parent has exposed. Note that these aren't actual memory references to the methods the parent exposed, but instead proxy methods Penpal has created with the same names and signatures. When one of these methods is called, Penpal will immediately return a promise and then go to work sending a message to the parent, calling the actual method within the parent with the arguments you have passed, and then sending the return value back to the child. The promise you received will then be resolved with the return value.
+`connection.destroy: Function`
-`connection.destroy: Function` A method that, when called, will disconnect any messaging channels. You may call this even before a connection has been established.
+A method that, when called, will disconnect any messaging channels. You may call this even before a connection has been established.
## Reconnection
@@ -158,12 +195,17 @@ NOTE: Currently there is no API to notify consumers of a reconnection. If this i
Penpal will throw (or reject promises with) errors in certain situations. Each error will have a `code` property which may be used for programmatic decisioning (e.g., do something if the error was due to a connection timing out) along with a `message` describing the problem. Errors may be thrown with the following codes:
-- `ConnectionDestroyed`
- - This error will be thrown when attempting to call a method on `child` or `parent` objects and the connection was previously destroyed.
-- `ConnectionTimeout`
- - `connection.promise` will be rejected with this error after the `timeout` duration has elapsed and a connection has not been established.
-- `NoIframeSrc`
- - This error will be thrown when the iframe passed into `connectToChild` does not have `src` or `srcdoc` set.
+`ConnectionDestroyed`
+
+This error will be thrown when attempting to call a method on `child` or `parent` objects and the connection was previously destroyed.
+
+`ConnectionTimeout`
+
+The promise found at `connection.promise` will be rejected with this error after the `timeout` duration has elapsed and a connection has not been established.
+
+`NoIframeSrc`
+
+This error will be thrown when the iframe passed into `connectToChild` does not have `src` or `srcdoc` set.
For your convenience, these error codes can be imported as follows:
diff --git a/scripts/test.js b/scripts/test.js
index e85cfd6..501a60d 100755
--- a/scripts/test.js
+++ b/scripts/test.js
@@ -18,6 +18,9 @@ const serveChildViews = () => {
.use(serveStatic('test/childFixtures'));
http.createServer(childViewsApp).listen(9000);
+ // Host the child views on two ports so tests can do interesting
+ // things like redirect the iframe between two origins.
+ http.createServer(childViewsApp).listen(9001);
};
const runTests = () => {
diff --git a/src/connectCallReceiver.ts b/src/connectCallReceiver.ts
index 0e09f9f..61d7054 100644
--- a/src/connectCallReceiver.ts
+++ b/src/connectCallReceiver.ts
@@ -35,7 +35,7 @@ export default (
return;
}
- if (event.origin !== originForReceiving) {
+ if (originForReceiving !== '*' && event.origin !== originForReceiving) {
log(
`${localName} received message from origin ${event.origin} which did not match expected origin ${originForReceiving}`
);
diff --git a/src/connectCallSender.ts b/src/connectCallSender.ts
index 866b662..28f44a1 100644
--- a/src/connectCallSender.ts
+++ b/src/connectCallSender.ts
@@ -85,7 +85,10 @@ export default (
return;
}
- if (event.origin !== originForReceiving) {
+ if (
+ originForReceiving !== '*' &&
+ event.origin !== originForReceiving
+ ) {
log(
`${localName} received message from origin ${event.origin} which did not match expected origin ${originForReceiving}`
);
diff --git a/src/parent/handleAckMessageFactory.ts b/src/parent/handleAckMessageFactory.ts
index bb4e4b5..7fd7f16 100644
--- a/src/parent/handleAckMessageFactory.ts
+++ b/src/parent/handleAckMessageFactory.ts
@@ -23,7 +23,7 @@ export default (
const callSender: CallSender = {};
return (event: MessageEvent): CallSender | undefined => {
- if (event.origin !== childOrigin) {
+ if (childOrigin !== '*' && event.origin !== childOrigin) {
log(
`Parent: Handshake - Received ACK message from origin ${event.origin} which did not match expected origin ${childOrigin}`
);
diff --git a/src/parent/handleSynMessageFactory.ts b/src/parent/handleSynMessageFactory.ts
index 535cfb1..1320e65 100644
--- a/src/parent/handleSynMessageFactory.ts
+++ b/src/parent/handleSynMessageFactory.ts
@@ -11,7 +11,7 @@ export default (
originForSending: string
) => {
return (event: MessageEvent) => {
- if (event.origin !== childOrigin) {
+ if (childOrigin !== '*' && event.origin !== childOrigin) {
log(
`Parent: Handshake - Received SYN message from origin ${event.origin} which did not match expected origin ${childOrigin}`
);
diff --git a/test/childFixtures/redirect.html b/test/childFixtures/redirect.html
new file mode 100644
index 0000000..5e93b0b
--- /dev/null
+++ b/test/childFixtures/redirect.html
@@ -0,0 +1,15 @@
+
+
+
+ Test Iframe
+
+
+
+ Test Iframe
+
+
diff --git a/test/connectionManagement.spec.js b/test/connectionManagement.spec.js
index 58633f0..e6ee65c 100644
--- a/test/connectionManagement.spec.js
+++ b/test/connectionManagement.spec.js
@@ -1,6 +1,26 @@
-import { CHILD_SERVER } from './constants';
+import { CHILD_SERVER, CHILD_SERVER_ALTERNATE } from './constants';
import { createAndAddIframe } from './utils';
+/**
+ * Asserts that no connection is successfully made between the parent and the
+ * child.
+ */
+const expectNoSuccessfulConnection = (connectionPromise, iframe) => {
+ const spy = jasmine.createSpy();
+
+ connectionPromise.then(spy);
+
+ return new Promise((resolve) => {
+ iframe.addEventListener('load', function () {
+ // Give Penpal time to try to make a handshake.
+ setTimeout(() => {
+ expect(spy).not.toHaveBeenCalled();
+ resolve();
+ }, 100);
+ });
+ });
+};
+
describe('connection management', () => {
it('connects to iframe when correct child origin provided', async () => {
const iframe = createAndAddIframe();
@@ -43,7 +63,7 @@ describe('connection management', () => {
await connection.promise;
});
- it("doesn't connect to iframe when incorrect child origin provided", (done) => {
+ it("doesn't connect to iframe when incorrect child origin provided", async () => {
const iframe = createAndAddIframe();
const connection = Penpal.connectToChild({
@@ -57,20 +77,10 @@ describe('connection management', () => {
// needed when childOrigin is not passed.
iframe.src = `${CHILD_SERVER}/default.html`;
- const spy = jasmine.createSpy();
-
- connection.promise.then(spy);
-
- iframe.addEventListener('load', function () {
- // Give Penpal time to try to make a handshake.
- setTimeout(() => {
- expect(spy).not.toHaveBeenCalled();
- done();
- }, 100);
- });
+ await expectNoSuccessfulConnection(connection.promise, iframe);
});
- it("doesn't connect to iframe connecting to mismatched parent origin", (done) => {
+ it("doesn't connect to iframe connecting to mismatched parent origin", async () => {
const iframe = createAndAddIframe(
`${CHILD_SERVER}/mismatchedParentOrigin.html`
);
@@ -79,39 +89,52 @@ describe('connection management', () => {
iframe,
});
- const spy = jasmine.createSpy();
+ await expectNoSuccessfulConnection(connection.promise, iframe);
+ });
- connection.promise.then(spy);
+ it("doesn't connect to iframe connecting to mismatched parent origin regex", async () => {
+ const iframe = createAndAddIframe(
+ `${CHILD_SERVER}/mismatchedParentOriginRegex.html`
+ );
- iframe.addEventListener('load', function () {
- // Give Penpal time to try to make a handshake.
- setTimeout(() => {
- expect(spy).not.toHaveBeenCalled();
- done();
- }, 100);
+ const connection = Penpal.connectToChild({
+ iframe,
});
+
+ await expectNoSuccessfulConnection(connection.promise, iframe);
});
- it("doesn't connect to iframe connecting to mismatched parent origin regex", (done) => {
+ it('connects to iframe when child redirects to different origin and child origin is set to *', async () => {
+ const redirectToUrl = encodeURIComponent(
+ `${CHILD_SERVER_ALTERNATE}/default.html`
+ );
const iframe = createAndAddIframe(
- `${CHILD_SERVER}/mismatchedParentOriginRegex.html`
+ `${CHILD_SERVER}/redirect.html?to=${redirectToUrl}`
);
const connection = Penpal.connectToChild({
+ debug: true,
iframe,
+ childOrigin: '*',
});
- const spy = jasmine.createSpy();
+ await connection.promise;
+ });
- connection.promise.then(spy);
+ it("doesn't connect to iframe when child redirects to different origin and child origin is not set", async () => {
+ const redirectToUrl = encodeURIComponent(
+ `${CHILD_SERVER_ALTERNATE}/default.html`
+ );
+ const iframe = createAndAddIframe(
+ `${CHILD_SERVER}/redirect.html?to=${redirectToUrl}`
+ );
- iframe.addEventListener('load', function () {
- // Give Penpal time to try to make a handshake.
- setTimeout(() => {
- expect(spy).not.toHaveBeenCalled();
- done();
- }, 100);
+ const connection = Penpal.connectToChild({
+ debug: true,
+ iframe,
});
+
+ await expectNoSuccessfulConnection(connection.promise, iframe);
});
it('reconnects after child reloads', (done) => {
diff --git a/test/constants.js b/test/constants.js
index 2d54f05..aab731d 100644
--- a/test/constants.js
+++ b/test/constants.js
@@ -1 +1,2 @@
export const CHILD_SERVER = `http://${window.location.hostname}:9000`;
+export const CHILD_SERVER_ALTERNATE = `http://${window.location.hostname}:9001`;