Security News
Cloudflare Adds Security.txt Setup Wizard
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
By Sarah Gooding - Sep 30, 2024
@krakenjs/post-robot
Advanced tools
post-robot [:]-\-<
Cross domain post-messaging on the client side, using a simple listener/client pattern.
Send a message to another window, and:
- Get a response from the window you messaged
- Pass functions to another window, across different domains
- Handle any errors that prevented your message from getting through
- Don't worry about serializing your messages; just send javascript objects
- Use promises or async/await to wait for responses from windows you message
- Set up a secure message channel between two windows on a certain domain
- Send messages between a parent and a popup window in IE
Serialization
post-robot will serialize and deserialize the following data types in messages:
- Objects, arrays, strings, numbers, booleans, null
- Note: this includes any JSON-serializable types
- Functions
- Note: the function passed will be a reference to the original function, and the deserialized function will always return a
Promise- specifically aZalgoPromise
- Note: the function passed will be a reference to the original function, and the deserialized function will always return a
- Promises
- Note: deserialized promises will be instances of
ZalgoPromise
- Note: deserialized promises will be instances of
- Error objects
- e.g.
new Error("This error will self-destruct in 10, 9, 8...")
- e.g.
- Regex objects
- e.g.
/[a-zA-Z0-9]*/
- e.g.
Simple listener and sender
// Set up a listener
postRobot.on('getUser', function(event) {
// Have it return some data to the calling window
return {
id: 1234,
name: 'Zippy the Pinhead',
// Yep, we're even returning a function to the other window!
logout: function() {
return $currentUser.logout();
}
};
});
// Call the listener, on a different window, on a different domain
postRobot.send(someWindow, 'getUser', { id: 1337 }).then(function(event) {
var user = event.data;
console.log(event.source, event.origin, 'Got user:', user);
// Call the user.logout function from the other window!
user.logout();
}).catch(function(err) {
// Handle any errors that stopped our call from going through
console.error(err);
});
Listener with promise response
postRobot.on('getUser', function(event) {
return getUser(event.data.id).then(function(user) {
return {
name: user.name
};
});
});
One-off listener
postRobot.once('getUser', function(event) {
return {
name: 'Noggin the Nog'
};
});
Cancelling a listener
var listener = postRobot.on('getUser', function(event) {
return {
id: event.data.id,
name: 'Zippy the Pinhead'
};
});
listener.cancel();
Listen for messages from a specific window
postRobot.on('getUser', { window: window.parent }, function(event) {
return {
name: 'Guybrush Threepwood'
};
});
Listen for messages from a specific domain
postRobot.on('getUser', { domain: 'http://zombo.com' }, function(event) {
return {
name: 'Manny Calavera'
};
});
Set a timeout for a response
postRobot.send(someWindow, 'getUser', { id: 1337 }, { timeout: 5000 }).then(function(event) {
console.log(event.source, event.origin, 'Got user:', event.data.name);
}).catch(function(err) {
console.error(err);
});
Send a message to a specific domain
postRobot.send(someWindow, 'getUser', { id: 1337 }, { domain: 'http://zombo.com' }).then(function(event) {
console.log(event.source, event.origin, 'Got user:', event.data.name);
});
Async / Await
postRobot.on('getUser', async ({ source, origin, data }) => {
let user = await getUser(data.id);
return {
id: data.id,
name: user.name
};
});
try {
let { source, origin, data } = await postRobot.send(someWindow, `getUser`, { id: 1337 });
console.log(source, origin, 'Got user:', data.name);
} catch (err) {
console.error(err);
}
Secure Message Channel
For security reasons, it is recommended that you always explicitly specify the window and domain you want to listen to and send messages to. This creates a secure message channel that only works between two windows on the specified domain:
postRobot.on('getUser', { window: childWindow, domain: 'http://zombo.com' }, function(event) {
return {
id: event.data.id,
name: 'Frodo'
};
});
postRobot.send(someWindow, 'getUser', { id: 1337 }, { domain: 'http://zombo.com' }).then(function(event) {
console.log(event.source, event.origin, 'Got user:', event.data.name);
}).catch(function(err) {
console.error(err);
});
Functions
Post robot lets you send across functions in your data payload, fairly seamlessly.
For example:
postRobot.on('getUser', function(event) {
return {
id: event.data.id,
name: 'Nogbad the Bad',
logout: function() {
currentUser.logout();
}
};
});
postRobot.send(myWindow, 'getUser', { id: 1337 }).then(function(event) {
var user = event.data;
user.logout().then(function() {
console.log('User was logged out');
});
});
The function user.logout() will be called on the original window. Post Robot transparently messages back to the
original window, calls the function that was passed, then messages back with the result of the function.
Because this uses post-messaging behind the scenes and is therefore always async, user.logout() will always return a promise, and must be .then'd or awaited.
Parent to popup messaging
Unfortunately, IE blocks direct post messaging between a parent window and a popup, on different domains.
In order to use post-robot in IE9+ with popup windows, you will need to set up an invisible 'bridge' iframe on your parent page:
[ Parent page ]
+---------------------+ [ Popup ]
| xx.com |
| | +--------------+
| +---------------+ | | yy.com |
| | [iframe] | | | |
| | | | | |
| | yy.com/bridge | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | +--------------+
| +---------------+ |
| |
+---------------------+
a. Use the special ie build of post-robot: dist/post-robot.ie.js.
b. Create a bridge path on the domain of your popup, for example http://yy.com/bridge.html, and include post-robot:
<script src="http://yy.com/js/post-robot.ie.js"></script>
c. In the parent page on xx.com which opens the popup, include the following javascript:
<script>
postRobot.bridge.openBridge('http://yy.com/bridge.html');
</script>
Now xx.com and yy.com can communicate freely using post-robot, in IE.
11.0.0 (2022-03-01)
⚠ BREAKING CHANGES
-
move to @krakenjs scope
-
add tooling for code coverage, changelogs, and conventional commits (#103) (e3be73c)
Changelog
All notable changes to this project will be documented in this file. Dates are displayed in UTC.
Generated by auto-changelog.
FAQs
Simple postMessage based server.
The npm package @krakenjs/post-robot receives a total of 3,495 weekly downloads. As such, @krakenjs/post-robot popularity was classified as popular.
We found that @krakenjs/post-robot demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 7 open source maintainers collaborating on the project.
Package last updated on 01 Mar 2022
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Malicious “express-dompurify” npm Package Steals Browser and Cryptocurrency Wallet Data
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
By Socket Research Team - Sep 27, 2024
Security News
ENISA 2024 Threat Landscape Report Warns of Increasing State-Sponsored Supply Chain Attacks on Open Source Software
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.
By Sarah Gooding - Sep 27, 2024