I’ve been reading both specifications. My notes below.
Cross Document Messages
In the WHAT WG model, documents can implement
A receiving document (in another window or iframe) receives a
message event, and will need to implement a listener. The event contains:
- a string representing the payload
- a string with domain of the sender
- the origin document
The listener can (but not must) check the origin domain, then do something with the payload. It can also post a message back to the sender.
The Module Tag
send and a
receive method. Instead of a white list of origin domains, the security policy is that senders and receivers must pair up. Modules that don’t implement receive, but get a message, cause the sender to throw an exception.
Crockford’s model intends to make mashups explicit, and looks like syntactic sugar for the WHAT WG model.
- Both proposals wall-off each document’s functions and variables from one another.
- The WHAT-WG model provides support for cross-window communication, and yes there are Web 2.0 apps that use multiple windows. The Module tag doesn’t provide for that.
- WHAT-WG provides, but doesn’t enforce a origin model.
- The WHAT-WG model sends arbitrary strings. The Module tag restricts that to strings that are legal JSON serializations. I suppose you could send a malicious function over the boundary as a string, but you’d have to turn it into a function using
Comments and corrections to this are welcome.
Possibly Related posts (machine generated):