Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
post-robot
Advanced tools
Changelog
11.0.0 (2022-03-01)
move to @krakenjs scope
add tooling for code coverage, changelogs, and conventional commits (#103) (e3be73c)
All notable changes to this project will be documented in this file. Dates are displayed in UTC.
Generated by auto-changelog
.
Readme
Cross domain post-messaging on the client side, using a simple listener/client pattern.
Send a message to another window, and:
post-robot will serialize and deserialize the following data types in messages:
Promise
- specifically a ZalgoPromise
ZalgoPromise
new Error("This error will self-destruct in 10, 9, 8...")
/[a-zA-Z0-9]*/
// Set up a listener
postRobot.on('getUser', function(event) {
// Have it return some data to the calling window
return {
id: 1234,
name: 'Zippy the Pinhead',
// Yep, we're even returning a function to the other window!
logout: function() {
return $currentUser.logout();
}
};
});
// Call the listener, on a different window, on a different domain
postRobot.send(someWindow, 'getUser', { id: 1337 }).then(function(event) {
var user = event.data;
console.log(event.source, event.origin, 'Got user:', user);
// Call the user.logout function from the other window!
user.logout();
}).catch(function(err) {
// Handle any errors that stopped our call from going through
console.error(err);
});
postRobot.on('getUser', function(event) {
return getUser(event.data.id).then(function(user) {
return {
name: user.name
};
});
});
postRobot.once('getUser', function(event) {
return {
name: 'Noggin the Nog'
};
});
var listener = postRobot.on('getUser', function(event) {
return {
id: event.data.id,
name: 'Zippy the Pinhead'
};
});
listener.cancel();
postRobot.on('getUser', { window: window.parent }, function(event) {
return {
name: 'Guybrush Threepwood'
};
});
postRobot.on('getUser', { domain: 'http://zombo.com' }, function(event) {
return {
name: 'Manny Calavera'
};
});
postRobot.send(someWindow, 'getUser', { id: 1337 }, { timeout: 5000 }).then(function(event) {
console.log(event.source, event.origin, 'Got user:', event.data.name);
}).catch(function(err) {
console.error(err);
});
postRobot.send(someWindow, 'getUser', { id: 1337 }, { domain: 'http://zombo.com' }).then(function(event) {
console.log(event.source, event.origin, 'Got user:', event.data.name);
});
postRobot.on('getUser', async ({ source, origin, data }) => {
let user = await getUser(data.id);
return {
id: data.id,
name: user.name
};
});
try {
let { source, origin, data } = await postRobot.send(someWindow, `getUser`, { id: 1337 });
console.log(source, origin, 'Got user:', data.name);
} catch (err) {
console.error(err);
}
For security reasons, it is recommended that you always explicitly specify the window and domain you want to listen to and send messages to. This creates a secure message channel that only works between two windows on the specified domain:
postRobot.on('getUser', { window: childWindow, domain: 'http://zombo.com' }, function(event) {
return {
id: event.data.id,
name: 'Frodo'
};
});
postRobot.send(someWindow, 'getUser', { id: 1337 }, { domain: 'http://zombo.com' }).then(function(event) {
console.log(event.source, event.origin, 'Got user:', event.data.name);
}).catch(function(err) {
console.error(err);
});
Post robot lets you send across functions in your data payload, fairly seamlessly.
For example:
postRobot.on('getUser', function(event) {
return {
id: event.data.id,
name: 'Nogbad the Bad',
logout: function() {
currentUser.logout();
}
};
});
postRobot.send(myWindow, 'getUser', { id: 1337 }).then(function(event) {
var user = event.data;
user.logout().then(function() {
console.log('User was logged out');
});
});
The function user.logout()
will be called on the original window. Post Robot transparently messages back to the
original window, calls the function that was passed, then messages back with the result of the function.
Because this uses post-messaging behind the scenes and is therefore always async, user.logout()
will always return a promise, and must be .then
'd or await
ed.
Unfortunately, IE blocks direct post messaging between a parent window and a popup, on different domains.
In order to use post-robot in IE9+ with popup windows, you will need to set up an invisible 'bridge' iframe on your parent page:
[ Parent page ]
+---------------------+ [ Popup ]
| xx.com |
| | +--------------+
| +---------------+ | | yy.com |
| | [iframe] | | | |
| | | | | |
| | yy.com/bridge | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | +--------------+
| +---------------+ |
| |
+---------------------+
a. Use the special ie
build of post-robot: dist/post-robot.ie.js
.
b. Create a bridge path on the domain of your popup, for example http://yy.com/bridge.html
, and include post-robot:
<script src="http://yy.com/js/post-robot.ie.js"></script>
c. In the parent page on xx.com
which opens the popup, include the following javascript:
<script>
postRobot.bridge.openBridge('http://yy.com/bridge.html');
</script>
Now xx.com
and yy.com
can communicate freely using post-robot, in IE.
FAQs
Simple postMessage based server.
The npm package post-robot receives a total of 37,014 weekly downloads. As such, post-robot popularity was classified as popular.
We found that post-robot demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.