false childOrigin to skip origin check

README.md

@@ -47,6 +47,9 @@ import { connectToChild } from 'penpal';
 
 const iframe = document.createElement('iframe');
 iframe.src = 'http://example.com/iframe.html';
+
+// This conditional is not Penpal-specific. It's merely
+// an example of how you can add an iframe to the document.
 if (
   document.readyState === 'complete' ||
   document.readyState === 'interactive'
@@ -58,10 +61,11 @@ if (
   });
 }
 
+// This is where the magic begins.
 const connection = connectToChild({
-  // The iframe to which a connection should be made
+  // The iframe to which a connection should be made.
   iframe,
-  // Methods the parent is exposing to the child
+  // Methods the parent is exposing to the child.
   methods: {
     add(num1, num2) {
       return num1 + num2;
@@ -81,13 +85,14 @@ connection.promise.then((child) => {
 import { connectToParent } from 'penpal';
 
 const connection = connectToParent({
-  // Methods child is exposing to parent
+  // Methods child is exposing to parent.
   methods: {
     multiply(num1, num2) {
       return num1 * num2;
     },
     divide(num1, num2) {
-      // Return a promise if the value being returned requires asynchronous processing.
+      // Return a promise if the value being
+      // returned requires asynchronous processing.
       return new Promise((resolve) => {
         setTimeout(() => {
           resolve(num1 / num2);
@@ -106,47 +111,79 @@ connection.promise.then((parent) => {
 
 ### `connectToChild(options: Object) => Object`
 
-**For Penpal to operate correctly, you must ensure that `connectToChild` is called before the iframe has called `connectToParent`.** As shown in the example above, it is safe to set the `src` or `srcdoc` property of the iframe and append the iframe to the document before calling `connectToChild` as long as they are both done in the same [JavaScript event loop](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop). Alternatively, you can always append the iframe to the document _after_ calling `connectToChild` instead of _before_.
+**For Penpal to operate correctly, you must ensure that `connectToChild` is called before the iframe calls `connectToParent`.** As shown in the example above, it is safe to set the `src` or `srcdoc` property of the iframe and append the iframe to the document before calling `connectToChild` as long as they are both done in the same [JavaScript event loop](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop). Alternatively, you can always append the iframe to the document _after_ calling `connectToChild` instead of _before_.
 
 #### Options
 
-`options.iframe: HTMLIFrameElement` (required) The iframe element to which Penpal should connect. Unless you provide the `childOrigin` option, you will need to have set either the `src` or `srcdoc` property on the iframe prior to calling `connectToChild` so that Penpal can automatically derive the child origin. In addition to regular URLs, [data URIs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) and [file URIs](https://en.wikipedia.org/wiki/File_URI_scheme) are also supported.
+`options.iframe: HTMLIFrameElement` (required)
+
+The iframe element to which Penpal should connect. Unless you provide the `childOrigin` option, you will need to have set either the `src` or `srcdoc` property on the iframe prior to calling `connectToChild` so that Penpal can automatically derive the child origin. In addition to regular URLs, [data URIs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) and [file URIs](https://en.wikipedia.org/wiki/File_URI_scheme) are also supported.
+
+`options.methods: Object` (optional)
+
+An object containing methods which should be exposed for the child iframe to call. The keys of the object are the method names and the values are the functions. Nested objects with function values are recursively included. If a function requires asynchronous processing to determine its return value, make the function immediately return a promise and resolve the promise once the value has been determined.
+
+`options.childOrigin: string` (optional)
+
+In the vast majority of cases, Penpal can automatically determine the child origin based on the `src` or `srcdoc` property that you have set on the iframe. This will automatically restrict communication to that origin.
 
-`options.methods: Object` (optional) An object containing methods which should be exposed for the child iframe to call. The keys of the object are the method names and the values are the functions. Nested objects with function values are recursively included. If a function requires asynchronous processing to determine its return value, make the function immediately return a promise and resolve the promise once the value has been determined.
+In some rare cases, particularly when using the `file://` protocol on various devices, browsers are inconsistent in how they report and handle origins. If you receive an error saying that the parent received a handshake from an unexpected origin, you may need to manually pass the child origin using this option.
 
-`options.childOrigin: string` (optional) In the vast majority of cases, Penpal can automatically determine the child origin based on the `src` or `srcdoc` property that you have set on the iframe. Unfortunately, browsers are inconsistent in certain cases, particularly when using the `file://` protocol on various devices. If you receive an error saying that the parent received a handshake from an unexpected origin, you may need to manually pass the child origin using this option.
+In other [niche scenarios](https://github.com/Aaronius/penpal/issues/73), you may want the parent to be able to communicate with any child origin. In this case, you can set `childOrigin` to `*`. **This is discouraged.** To illustrate the risk, if a nefarious attacker manages to create a link within the child page that another user can click (for example, if you fail to inadequately escape HTML in a message board comment), and that link navigates the unsuspecting user's iframe to a nefarious URL, then the page at the nefarious URL could start communicating with your parent window.
 
-`options.timeout: number` (optional) The amount of time, in milliseconds, Penpal should wait for the child to respond before rejecting the connection promise. There is no timeout by default.
+Regardless of how you configure `childOrigin`, communication will always be restricted to only the iframe to which you are connecting.
 
-`options.debug: boolean` (optional) Enables or disables debug logging. Debug logging is disabled by default.
+`options.timeout: number` (optional)
+
+The amount of time, in milliseconds, Penpal should wait for the child to respond before rejecting the connection promise. There is no timeout by default.
+
+`options.debug: boolean` (optional)
+
+Enables or disables debug logging. Debug logging is disabled by default.
 
 #### Return value
 
 The return value of `connectToChild` is a `connection` object with the following properties:
 
-`connection.promise: Promise` A promise which will be resolved once communication has been established. The promise will be resolved with an object containing the methods which the child has exposed. Note that these aren't actual memory references to the methods the child exposed, but instead proxy methods Penpal has created with the same names and signatures. When one of these methods is called, Penpal will immediately return a promise and then go to work sending a message to the child, calling the actual method within the child with the arguments you have passed, and then sending the return value back to the parent. The promise you received will then be resolved with the return value.
+`connection.promise: Promise`
+
+A promise which will be resolved once communication has been established. The promise will be resolved with an object containing the methods which the child has exposed. Note that these aren't actual memory references to the methods the child exposed, but instead proxy methods Penpal has created with the same names and signatures. When one of these methods is called, Penpal will immediately return a promise and then go to work sending a message to the child, calling the actual method within the child with the arguments you have passed, and then sending the return value back to the parent. The promise you received will then be resolved with the return value.
+
+`connection.destroy: Function`
 
-`connection.destroy: Function` A method that, when called, will disconnect any messaging channels. You may call this even before a connection has been established.
+A method that, when called, will disconnect any messaging channels. You may call this even before a connection has been established.
 
 ### `connectToParent([options: Object]) => Object`
 
 #### Options
 
-`options.parentOrigin: string | RegExp` (optional) The origin of the parent window which your iframe will be communicating with. If this is not provided, communication will not be restricted to any particular parent origin resulting in any webpage being able to load your webpage into an iframe and communicate with it.
+`options.parentOrigin: string | RegExp` (optional **but highly recommended!**)
 
-`options.methods: Object` (optional) An object containing methods which should be exposed for the parent window to call. The keys of the object are the method names and the values are the functions. Nested objects with function values are recursively included. If a function requires asynchronous processing to determine its return value, make the function immediately return a promise and resolve the promise once the value has been determined.
+The origin of the parent window which your iframe will be communicating with. If this is not provided, communication will not be restricted to any particular parent origin resulting in any webpage being able to load your webpage into an iframe and communicate with it.
 
-`options.timeout: number` (optional) The amount of time, in milliseconds, Penpal should wait for the parent to respond before rejecting the connection promise. There is no timeout by default.
+`options.methods: Object` (optional)
 
-`options.debug: boolean` (optional) Enables or disables debug logging. Debug logging is disabled by default.
+An object containing methods which should be exposed for the parent window to call. The keys of the object are the method names and the values are the functions. Nested objects with function values are recursively included. If a function requires asynchronous processing to determine its return value, make the function immediately return a promise and resolve the promise once the value has been determined.
+
+`options.timeout: number` (optional)
+
+The amount of time, in milliseconds, Penpal should wait for the parent to respond before rejecting the connection promise. There is no timeout by default.
+
+`options.debug: boolean` (optional)
+
+Enables or disables debug logging. Debug logging is disabled by default.
 
 #### Return value
 
-The return value of `connectToParent` is a `connection` object with the following property:
+The return value of `connectToParent` is a `connection` object with the following properties:
+
+`connection.promise: Promise`
+
+A promise which will be resolved once communication has been established. The promise will be resolved with an object containing the methods which the parent has exposed. Note that these aren't actual memory references to the methods the parent exposed, but instead proxy methods Penpal has created with the same names and signatures. When one of these methods is called, Penpal will immediately return a promise and then go to work sending a message to the parent, calling the actual method within the parent with the arguments you have passed, and then sending the return value back to the child. The promise you received will then be resolved with the return value.
 
-`connection.promise: Promise` A promise which will be resolved once communication has been established. The promise will be resolved with an object containing the methods which the parent has exposed. Note that these aren't actual memory references to the methods the parent exposed, but instead proxy methods Penpal has created with the same names and signatures. When one of these methods is called, Penpal will immediately return a promise and then go to work sending a message to the parent, calling the actual method within the parent with the arguments you have passed, and then sending the return value back to the child. The promise you received will then be resolved with the return value.
+`connection.destroy: Function`
 
-`connection.destroy: Function` A method that, when called, will disconnect any messaging channels. You may call this even before a connection has been established.
+A method that, when called, will disconnect any messaging channels. You may call this even before a connection has been established.
 
 ## Reconnection
 
@@ -158,12 +195,17 @@ NOTE: Currently there is no API to notify consumers of a reconnection. If this i
 
 Penpal will throw (or reject promises with) errors in certain situations. Each error will have a `code` property which may be used for programmatic decisioning (e.g., do something if the error was due to a connection timing out) along with a `message` describing the problem. Errors may be thrown with the following codes:
 
-- `ConnectionDestroyed`
-  - This error will be thrown when attempting to call a method on `child` or `parent` objects and the connection was previously destroyed.
-- `ConnectionTimeout`
-  - `connection.promise` will be rejected with this error after the `timeout` duration has elapsed and a connection has not been established.
-- `NoIframeSrc`
-  - This error will be thrown when the iframe passed into `connectToChild` does not have `src` or `srcdoc` set.
+`ConnectionDestroyed`
+
+This error will be thrown when attempting to call a method on `child` or `parent` objects and the connection was previously destroyed.
+
+`ConnectionTimeout`
+
+The promise found at `connection.promise` will be rejected with this error after the `timeout` duration has elapsed and a connection has not been established.
+
+`NoIframeSrc`
+
+This error will be thrown when the iframe passed into `connectToChild` does not have `src` or `srcdoc` set.
 
 For your convenience, these error codes can be imported as follows:
 

scripts/test.js

@@ -18,6 +18,9 @@ const serveChildViews = () => {
     .use(serveStatic('test/childFixtures'));
 
   http.createServer(childViewsApp).listen(9000);
+  // Host the child views on two ports so tests can do interesting
+  // things like redirect the iframe between two origins.
+  http.createServer(childViewsApp).listen(9001);
 };
 
 const runTests = () => {

src/connectCallReceiver.ts

@@ -35,7 +35,7 @@ export default (
       return;
     }
 
-    if (event.origin !== originForReceiving) {
+    if (originForReceiving !== '*' && event.origin !== originForReceiving) {
       log(
         `${localName} received message from origin ${event.origin} which did not match expected origin ${originForReceiving}`
       );

src/connectCallSender.ts

@@ -85,7 +85,10 @@ export default (
             return;
           }
 
-          if (event.origin !== originForReceiving) {
+          if (
+            originForReceiving !== '*' &&
+            event.origin !== originForReceiving
+          ) {
             log(
               `${localName} received message from origin ${event.origin} which did not match expected origin ${originForReceiving}`
             );

src/parent/handleAckMessageFactory.ts

@@ -23,7 +23,7 @@ export default (
   const callSender: CallSender = {};
 
   return (event: MessageEvent): CallSender | undefined => {
-    if (event.origin !== childOrigin) {
+    if (childOrigin !== '*' && event.origin !== childOrigin) {
       log(
         `Parent: Handshake - Received ACK message from origin ${event.origin} which did not match expected origin ${childOrigin}`
       );

src/parent/handleSynMessageFactory.ts

@@ -11,7 +11,7 @@ export default (
   originForSending: string
 ) => {
   return (event: MessageEvent) => {
-    if (event.origin !== childOrigin) {
+    if (childOrigin !== '*' && event.origin !== childOrigin) {
       log(
         `Parent: Handshake - Received SYN message from origin ${event.origin} which did not match expected origin ${childOrigin}`
       );

test/childFixtures/redirect.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Test Iframe</title>
+    <script>
+      // Pass a URL as a querystring parameter named "to"
+      // and this page will redirect to that URL.
+      const params = new URL(document.location).searchParams;
+      document.location.href = params.get('to') || 'default.html';
+    </script>
+  </head>
+  <body>
+    Test Iframe
+  </body>
+</html>