The window.postMessage method safely enables cross-origin communication -

Normally, scripts on different pages are allowed to access each other if and only if the pages that executed them are at locations with the same protocol (usually both https), port number (443 being the default for https), and host (modulo document.domain being set by both pages to the same value).

window.postMessage provides a controlled mechanism to circumvent this restriction in a way which is secure when properly used.

otherWindow.postMessage(message, targetOrigin, [transfer]);

The window.postMessage method, when called, causes a MessageEvent to be dispatched at the target window when any pending script that must be executed completes (e.g., remaining event handlers if window.postMessage is called from an event handler, previously-set pending timeouts, etc.)

The MessageEvent has the type message, a data property which is set to the value of the first argument provided to window.postMessage, an origin property corresponding to the origin of the main document in the window calling window.postMessage at the time window.postMessage was called, and a source property which is the window from which window.postMessage is called.

# Experiments

We have doen a couple of experiments with windows.postmessage in wiki. See Popup Plugin and work cuurently underway with the About Frame Plugin.

# Slides

Reveal.js has a window.postMessage api that can be enabled: - github

# See also