false childOrigin to skip origin check

[KutnerUri]

Allow consumers to skip iframe origin url check in connectToChild().
This is useful when the iframe redirects, etc.

connectToChild() already checks the message origin is the target iframe, so it should be ok.

Closes #73

[KutnerUri]

I added the same logic for originForReceiving. not sure it makes sense, but the tests pass

[Aaronius]

Thanks for the contribution, @KutnerUri! I left a comment to consider on the issue you logged.

I think I'd like to support a childOrigin value of * rather false, as it's more consistent the wildcard pattern provided underneath the hood by postMessage and also cuts down on some code. I've added commits accordingly. I'd appreciate it if you would review my changes and then I'd like to take another look myself with fresh eyes later. I like to be especially careful with any changes dealing with security.

Nice job figuring out the codebase enough to make the changes you did, btw!

[KutnerUri]

thanks, waiting for a new version of penpal! 😃

I think we should document the "*" option in the JSDocs. (Use "*" to skip origin check).
The test is also imperfect - setting the frame src after connectToChild() was a hack to make it fail. I'd rather use a different server url to make the test fail when not using "*" (but it was complicated for me to implement).

[Aaronius]

Yeah, I agree. I'm cooking up those changes now. 🧑‍🍳

[Aaronius]

Thanks for your contribution, @KutnerUri! Released as 6.2.0.

[KutnerUri]

thanks! 🙏