PostMessage from a sandboxed iFrame to the main window, origin is always null
As pointed out here, there is a perfectly fine way to determine the sender in that scenario, without giving the allow-same-origin
permission:
// Sandboxed iframes which lack the 'allow-same-origin'
// header have "null" rather than a valid origin. This means you still
// have to be careful about accepting data via the messaging API you
// create. Check that source, and validate those inputs!
var frame = document.getElementById('sandboxed');
if (e.origin === "null" && e.source === frame.contentWindow)
alert('Result: ' + e.data);
Note that the origin isn't null
, it's "null"
.
Since the iframe is sandboxed it lost access to its origin data.
adding allow-same-origin
to the iframe sandbox property will make it work again.