You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In #73, the ability to allow any child origin was added via '*'. We'd like to do the same thing, but with the restriction of only allowing subdomains of the original child origin as a safer alternative. We can sometimes redirect to a subdomain for certain customer configurations.
Proposed change: if the configured childOrigin domain begins with ., treat subdomains as equivalent.
The text was updated successfully, but these errors were encountered:
Thanks for logging this. I don't think supporting this securely is very straightforward since Penpal is limited by the underlying postMessage browser API. When using postMessage, the target origin needs to be specified as * or a specific origin.
In the scenario you're describing, the parent would need to know the child's specific subdomain in order to securely connect to the child. I'll keep thinking about this. I'm open to ideas.
I actually have an implementation on the workers branch that supports a regex or string for both parentOrigin (when connecting from child to parent) and childOrigin (when connecting from parent to a child). That branch also includes support for workers (instead of just iframes) and transferables. It's not quite ready to release though. I think the main thing remaining is getting the types straightened out, particularly for the transferables support.
If you want to try it out, give it spin! I can also publish a pre-release version to npm if that would help.
In #73, the ability to allow any child origin was added via
'*'
. We'd like to do the same thing, but with the restriction of only allowing subdomains of the original child origin as a safer alternative. We can sometimes redirect to a subdomain for certain customer configurations.Proposed change: if the configured
childOrigin
domain begins with.
, treat subdomains as equivalent.The text was updated successfully, but these errors were encountered: