Yesterday, Douglas Crockford made a proposal for a cross-document scripting model; however, there’s already one in the WHAT WG working draft.
I’ve been reading both specifications. My notes below.
Cross Document Messages
In the WHAT WG model, documents can implement postMessage().
A receiving document (in another window or iframe) receives a message event, and will need to implement a listener. The event contains:
- a string representing the payload
- a string with domain of the sender
- the origin document
The listener can (but not must) check the origin domain, then do something with the payload. It can also post a message back to the sender.
The Module Tag
Crockford’s Module Tag appears to be a replacement for Iframes within a window. Each module has an attribute for HTML or JavaScript source. Instead of event listeners, each module may implement a send and a receive method. Instead of a white list of origin domains, the security policy is that senders and receivers must pair up. Modules that don’t implement receive, but get a message, cause the sender to throw an exception.
The payload is a JavaScript object serialized to a string using JSON rules. It can’t pass functions across boundaries.
Crockford’s model intends to make mashups explicit, and looks like syntactic sugar for the WHAT WG model.
- Both proposals wall-off each document’s functions and variables from one another.
- The WHAT-WG model provides support for cross-window communication, and yes there are Web 2.0 apps that use multiple windows. The Module tag doesn’t provide for that.
- WHAT-WG provides, but doesn’t enforce a origin model.
- The WHAT-WG model sends arbitrary strings. The Module tag restricts that to strings that are legal JSON serializations. I suppose you could send a malicious function over the boundary as a string, but you’d have to turn it into a function using
new Function().
Comments and corrections to this are welcome.
