javascript - Is it possible to send a function to another window using postMessage without having to eval it? -

-

postmessage accepts strings, has converted string (which isn't problem). once there needs executed. best way this?

don't send function, , don't eval receive in onmessage event - come anywhere.

cross document messaging designed hole in same origin security policy implemented browsers, if you're going purposely work around policy incumbent on understand you're doing , handle security yourself. calling eval on you're offering run on page, presumably containing user's data, javascript hacker can trick page accepting.

a better way whitelist allowed operations , select among them based on what's passed onmessage.

function receivemessage(event) {   // trust sender of message?   // test domain sending messages   if (event.origin !== "http://example.com:")     return;    if (event.data == 'command1') docommand1(); //define these functions elsewhere   if (event.data == 'command2') docommand2(); //note no data passed event }  window.addeventlistener("message", receivemessage, false);

if want pass parameters use json.stringify(). if there's predefined set of parameters expect can use same approach above, no need ever pass string potentially unknown source direct code. if need deal variable parameter take standard precautions string unknown source.


Comments

Post a Comment

Popular posts from this blog

Javascript line number mapping -

-
magically formatted comments change reported line number of javascript errors in browsers; this: //@line n "f" n line number , f file name. unfortunately, //@line appears ungoogleable. know there documentation on feature, , browsers support it? (i found references here , here .) from can find available in mozilla based browsers. it using js_setoptions command can turn these options on or off depending on values passed. https://developer.mozilla.org/en/js_setoptions
Read more

c# - Is it possible to remove an existing registration from Autofac container builder? -

-
something along lines: builder.registertype<mytype>().as<itype>(); builder.registertype<mytype2>().as<itype>(); builder.deregistertype<mytype>().as<itype>() var container = builder.build(); var types = container.resolve<ienumerable<itype>>(); assert.istrue(types.count == 1); assert.istrue(types[0].gettype == typeof(mytype2)); scenario: go through bunch of assemblies , go register types want make sure have 1 implementation of given type. need before create container. track on own nice if autofac me bit. this cannot done directly using containerbuilder , unless start on new one. mind you, having first built container should able construct new container filtering away unwanted types , reusing registrations first container. this: ... var container = builder.build(); builder = new containerbuilder(); var components = container.componentregistry.registrations .where(cr => cr.activator.limittype != typ...
Read more

php - Mysql PK and FK char(36) vs int(10) -

-
i have read mysql can handle indexes , searches better if tables keys integers rather char(36) uuid's. is worth converting int(10)? note: use 1 server , have have plans use multiple databases concurrently therefore removing 1 of big reasons using uuid. our tables innodb if makes difference. thanks in advance. usually rdbms can handle integer keys pk more efficient, other datatypes. reason how build index column, yes: long dont require string (or other typed) keys, should use integers. however: char(36) , int(10) far away being equal, because int(10) much smaller, char(36). dont know, if require many different keys, should keep in mind. update, complete last paragraph: int(10) 32-bit, char(36) 36 - ^byte^ (= 288-bit). not mean, int consumes less space, means, char(36) has 4 times more different keys.
Read more