Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@nmbrco/rimless
Advanced tools
event base communication made easy with a promise-based API wrapping `postMessage`
Rimless makes event based communication easy with a promise-based API wrapping postMessage. Works with both iframes and webworkers.
You can use rimless
to call remote procedures, exchange data or expose local functions with iframes/webworkers.
You can see it in action here https://au-re.github.io/rimless.
Rimless can be installed via npm.
$ npm i -S rimless
or from a CDN
<script src="https://unpkg.com/rimless/lib/rimless.min.js"></script>
in the host website
import { host } from "rimless";
const connection = await host.connect(iframe, {
myVariable: 12,
myFunction: (value) => `hello ${value}`,
});
// access variables on the iframe
console.log(connection.remote.myIframeVariable); // 42
// call remote procedures on the iframe
const result = await connection.remote.myIframeFunction("here");
console.log(result); // hello here
// close the connection
connection.close();
in the iframe
import { guest } from "rimless";
const connection = await guest.connect({
myIframeVariable: 42,
myIframeFunction: (value) => `hello ${value}`,
});
// access variables on the host
console.log(connection.remote.myVariable); // 12
// call remote procedures on host
const res = await connection.remote.myFunction("there");
console.log(res); // hello there
// close the connection
connection.close();
This is how you can connect your website to an iframe or webworker:
import { host } from "rimless";
const iframe = document.getElementById("myIframe");
const worker = new Worker("myWorker");
// connect to the iframe
host.connect(iframe);
// connect to the worker
host.connect(worker);
You also need to connect your iframe/webworker to the host website.
Usage from an iframe:
import { guest } from "rimless";
// connect to the parent website
guest.connect();
Usage from a webworker:
importScripts("https://unpkg.com/rimless/lib/rimless.min.js");
const { guest } = rimless;
// connect to the parent website
guest.connect();
To do anything meaningful with this connection you need to provide a schema that defines the API of the host/iframe/webworker. Any serializeable values as well as functions are ok to use. In the example below the host website provides a function that will update its background color when invoked.
import { host } from "rimless";
const api = {
setColor: (color) => {
document.body.style.background = color;
},
};
const iframe = document.getElementById("myIframe");
host.connect(iframe, api);
The api schema must be passed on connection, the same applies to the iframe/webworker
.
With the host API exposed we can now invoke the remote procedure from the iframe.
import { guest } from "rimless";
// connect returns a promise that resolves in a connection object
// `connection.remote` contains the api you can invoke
guest.connect().then((connection) => {
connection.remote.setColor("#011627");
});
Closing a connection will remove all event listeners that were registered.
import { guest } from "rimless";
guest.connect().then((connection) => {
connection.close();
});
Now both can make use of the APIs they have shared with each other, e.g.
someAction
on the parent.someAction
and the result is returned to the guest.All parameters passed through postMessage
need to be serializeable. This applies also for all return values of the functions you expose.
// someFunction would return undefined when called in the remote.
const api = {
someFunction: () => () => {},
};
This library is inspired by Postmate and Penpal.
Rimless exports two objects: host
and guest
.
host.connect
Connect your website to a "guest" (iframe/webworker).
host.connect(iframe, {
log: (value) => console.log(value)
});
Name | Type | Description | Required |
---|---|---|---|
guest | HTMLIFrameElement or Worker | Target of the connection | required |
schema | object | schema of the api you want to expose | - |
options | object | - | - |
guest.connect
Connect a "guest" to your website. The guest connection automatically happens based on the environment it is run.
guest.connect({
log: (value) => console.log(value)
});
Name | Type | Description | Default |
---|---|---|---|
schema | object | schema of the api you want to expose | - |
options | object | - | - |
We use the airbnb style guide when writing javascript, with some minor modifications. Make sure eslint is installed and running before making changes, as it will ensure your coding style matches that of the project.
We use commitizen and
angular's conventional changelog
to enforce a consistent commit format. When writing commits, make sure you run npm run commit
instead of git commit
.
FAQs
event base communication made easy with a promise-based API wrapping `postMessage`
We found that @nmbrco/rimless demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.