global.postMessage issue

[rawb]

Hello,

Using installPostMessageImplementation() will use global.postMessage to send messages. If, let's say you maintain a browser extension that has access to window and executes this code, you will send a message that a web page could be listening to. If the web page has code that is listening for messages, but does not clean the message before processing (JSON.parse(message)), you could break a site unintentionally.

I know as professionals we should clean input before processing or try/catch, etc, but big sites such as icloud.com fall victim to this issue.

After navigating to the notes section after logging in to icloud.com the page will error if you execute a setImmediate() call sometime during loading.

[ronkorving]

That is indeed somewhat scary. Do you think postMessage should be avoided altogether?

[rawb]

As the readme mentions, window. postMessage seems like its the best hack available until something native comes along. I wrote this issue without understanding the need for window.postMessage for this lib and understanding that there is no better alternative. Thanks for reading it though!