PostMessage from a sandboxed iFrame to the main window, origin is always null

As pointed out here, there is a perfectly fine way to determine the sender in that scenario, without giving the allow-same-origin permission:

  // Sandboxed iframes which lack the 'allow-same-origin'
  // header have "null" rather than a valid origin. This means you still
  // have to be careful about accepting data via the messaging API you
  // create. Check that source, and validate those inputs!
  var frame = document.getElementById('sandboxed');
  if (e.origin === "null" && e.source === frame.contentWindow)
    alert('Result: ' + e.data);

Note that the origin isn't null, it's "null".


Since the iframe is sandboxed it lost access to its origin data.

adding allow-same-origin to the iframe sandbox property will make it work again.