Cross-Window Communication

Frames / Windows: Cross-Window Communication

---

---

What is Cross-Window Communication in JavaScript?

View Answer:

Interview Response: Cross-Window Communication is a technique allowing different browser windows or tabs, either on the same domain or different, to communicate with each other.

---

Can JavaScript communicate between tabs in the same browser?

View Answer:

Interview Response: Yes, JavaScript can communicate between browser tabs using mechanisms like localStorage events, BroadcastChannel API, SharedWorker, or postMessage API for cross-origin communication.

Code Example:

Sure, here's a simple code example using localStorage and storage event:

Tab 1: Sending tab

// set data to localStorage
localStorage.setItem("message", "Hello from Tab 1");

Tab 2: Receiving tab

// listen for storage events
window.addEventListener('storage', function(event) {
  if (event.key == 'message') {
    console.log('Received message: ' + event.newValue);
  }
});

In this example, when you set an item in localStorage from Tab 1, Tab 2 will receive this update through the storage event and log the new value.

---

What is the same-origin policy in JavaScript?

View Answer:

Interview Response: The Same-Origin Policy is a web security concept that restricts how a document or script from one origin can interact with a resource from another origin.

Technical Response: Two URLs are said to have the “same-origin” if they have the same protocol, domain, and port. The “Same Origin” (same site) policy limits access of windows and frames to each other. The idea is that if a user has two pages open: one from john-smith.com and another one is gmail.com, then they would not want a script from john-smith.com to read our mail from gmail.com. So, the “Same Origin” policy aims to protect users from information theft.

These URLs all share the same origin:

• http://site.com
• http://site.com/
• http://site.com/my/page.html

These do not:

• http://www.site.com (another domain: www. matters)
• http://site.org (another domain: .org matters)
• https://site.com (another protocol: https)
• http://site.com:8080 (another port: 8080)

---

What are some security concerns with cross-window communication?

View Answer:

Interview Response: Security concerns include Cross-Site Scripting (XSS), where malicious scripts are injected into trusted websites, and Cross-Site Request Forgery (CSRF), tricking users into unwanted actions.

---

How can JavaScript communicate with an iframe?

View Answer:

Interview Response: JavaScript can communicate with an iframe using the `contentWindow` property to access the iframe's window object, or `postMessage` method for cross-origin communication.

Code Example:

const iframe = document.getElementById("myframe");
const contentWindow = iframe.contentWindow;

// Change the background color of the iframe's document
contentWindow.document.body.style.backgroundColor = "red"; 

---

What are the rules for same-origin policy for an iframe?

View Answer:

Interview Response: An iframe follows the same-origin policy as pop-up windows: it can freely interact with its parent document if they're of the same origin; otherwise, interactions are restricted.

Technical Response: The same rules that apply pop-up windows apply for iframes regarding origin policies. When we access something within the embedded window, the browser checks to see if the iframe has the base origin; if not, access gets prohibited (writing to location is an exception, its still permitted).

Code Example:

<iframe src="https://example.com" id="iframe"></iframe>

<script>
  iframe.onload = function () {
    // we can get the reference to the inner window
    let iframeWindow = iframe.contentWindow; // OK
    try {
      // ...but not to the document inside it
      let doc = iframe.contentDocument; // ERROR
    } catch (e) {
      console.log(e); // Security Error (another origin)
    }

    // also we can't READ the URL of the page in iframe
    try {
      // Can't read URL from the Location object
      let href = iframe.contentWindow.location.href; // ERROR
    } catch (e) {
      console.log(e); // Security Error
    }

    // ...we can WRITE into location (and thus load something else into the iframe)!
    iframe.contentWindow.location = '/'; // OK

    iframe.onload = null; // clear the handler, not to run it after the location change
  };
</script>

---

How do iframe.onload and iframe.contentWindow.onload differ?

View Answer:

Interview Response: The `iframe.onload` event fires when the iframe and all its contents are loaded. `iframe.contentWindow.onload` fires when the iframe's window, and its document, are fully loaded, excluding assets like images or stylesheets.

---

How do subdomains operate in the context of the same-origin policy?

View Answer:

Technical Response: Subdomains are considered different origins under the same-origin policy, unless explicitly set otherwise. This means that cross-subdomain interactions are restricted by default.

Technical Response: Two URLs with distinct domains must have different origins. However, suppose multiple windows share the same second-level domain, such as jane.site.com, pam.site.com, and site.com (their common 2nd level domain is site.com). In that case, we can instruct the browser to ignore the difference and treat them as coming from the "same-origin" for cross-window communication. Execute the code in each window and assign the base domain to the subdomains to make it work.

Code Example:

<script>
  document.domain = 'site.com';
</script>

---

Are there any pitfalls when an iframe attempts to access its document?

View Answer:

Interview Response: Yes, iframes from different origins cannot access each other's documents due to the Same-Origin Policy, leading to a "cross-origin" error.

Technical Response: Yes, there is a problem when an iframe arrives from the exact base origin, and we may access its page. It has nothing to do with cross-origin issues, but it is crucial to understand. An iframe has a document as soon as it gets created. But that document is not the same as the one that gets loaded into it! As a result, if we act on the document right away. We should not operate with the document of an unloaded iframe since it is incorrect. If we add event handlers to it, they get ignored.

Code Example:

<iframe src="/" id="iframe"></iframe>

<script>
  let oldDoc = iframe.contentDocument;
  iframe.onload = function () {
    let newDoc = iframe.contentDocument;
    // the loaded document is not the same as initial!
    console.log(oldDoc == newDoc); // false
  };
</script>

---

Is there a way to detect the moment when the document loads into an iframe?

View Answer:

Interview Response: Yes, when iframe.onload triggers. But it only triggers when the whole iframe with all resources is loaded. We can try to catch the moment earlier using checks in a setInterval method.

Code Example:

<iframe src="/" id="iframe"></iframe>

<script>
  let oldDoc = iframe.contentDocument;

  // every 100 ms check if the document is the new one
  let timer = setInterval(() => {
    let newDoc = iframe.contentDocument;
    if (newDoc == oldDoc) return;

    console.log('New document is here!');

    clearInterval(timer); // cancel setInterval, don't need it any more
  }, 100);
</script>

---

What approach should you use to access the window object for an iframe?

View Answer:

Interview Response: You can use the `contentWindow` property of the iframe to access its window object, assuming same-origin policy allows it.

Technical Response: A window object for ‹iframe› can also be obtained from the “named” collection window.frames. There are two options: by number or by name. In terms of figures: window.frames[0] – the window object for the first frame of the document. The window object for the frame with the name="iframeName" property is known as window.frames.iframeName.

Code Example:

<iframe src="/" style="height:80px" name="win" id="iframe"></iframe>

<script>
  console.log(iframe.contentWindow == frames[0]); // true
  console.log(iframe.contentWindow == frames.win); // true
</script>

---

What is the purpose of the “sandbox” iframe attribute?

View Answer:

Interview Response: The "sandbox" attribute enhances security and restricts the iframe's behavior, including limiting scripts, blocking form submission, or preventing top navigation.

Technical Response: The sandbox property enables the exclusion of particular operations within an ‹iframe› to prevent it from running untrusted code. It "sandboxes" the iframe by treating it as though it came from somewhere else and applying extra constraints. For ‹iframe sandbox src="..."›, a "default set" of limitations is imposed. However, We can loosen restrictions, though, if we specify a space-separated list of limitations that we should not enforce as an attribute value, such as this: ‹iframe sandbox="allow-forms allow-popups"›. In other words, an empty "sandbox" property imposes the most robust restrictions imaginable, but we may specify a space-delimited list of those we want to remove.

Code Example:

<script>
  <iframe src='demo_iframe_sandbox.htm' sandbox />; // STRICT SANDBOX LEVEL
</script>

---

Can you explain what the postMessage interface message does?

View Answer:

Interview Response: The `postMessage` interface safely enables cross-origin communication. It sends a message from the invoking window to another window or iframe, which can listen and respond.

Technical Response: The postMessage interface allows windows to communicate with one another regardless of origin. So, it is a way around the “Same Origin” policy. It allows a window from john-smith.com to talk to gmail.com and exchange information, but only if they both agree and call corresponding JavaScript functions. That makes it safe for users. The interface has two parts or arguments.

---

How does the postMessage method interact with an iframe?

View Answer:

Interview Response: The `postMessage` method sends a message to the iframe's window object. The iframe can listen for this message with an 'onmessage' event handler.

Technical Response: The window that wants to send a message calls postMessage method of the receiving window. In other words, if we want to send the message to win, we should call win.postMessage(data, targetOrigin). The data argument is the data we are attempting to send. It can be any object; the data gets cloned using the “structured serialization algorithm”. IE supports only strings, so we should JSON.stringify complex objects to support that browser. The targetOrigin specifies the origin for the target window so that only a window from the given origin gets the message.

Code Example:

<iframe src="http://example.com" name="example">
  <script>
    let win = window.frames.example;

    win.postMessage('message', 'http://example.com');
  </script>
</iframe>

---

How would you receive a message from a postMessage?

View Answer:

Interview Response: To receive a message from `postMessage`, you need set up an event listener for the 'message' event using `window.addEventListener('message', callbackFunction)`.

Technical Response: The target window should have a handler on the message event to receive a message. It is triggered when the postMessage method gets invoked (and targetOrigin check is successful). The event object has unique properties, including the data, origin, and source properties. The data property holds the data from the postMessage, and the origin property holds the value of the originating document. The source is the reference to the sender window. We can immediately source.postMessage(...) back if we want.

Code Example:

window.addEventListener('message', function (event) {
  if (event.origin != 'https://www.hellojavascript.info') {
    // something from an unknown domain, let's ignore it
    return;
  }

  console.log('received: ' + event.data);

  // can message back using event.source.postMessage(...)
});

---

How can JavaScript detect if a new tab or window is opened?

View Answer:

Interview Response: JavaScript can detect a new tab or window if it was opened by the same script using the `window.open` function, which returns a reference to the new window.

Code Example:

let newWindow = window.open('https://www.example.com', '_blank');

if (newWindow) {
    console.log('A new window or tab has been opened');
}

---

What does the term "origin" refer to in the context of cross-window communication?

View Answer:

Interview Response: In the context of cross-window communication, "origin" refers to the combination of scheme (protocol), host (domain), and port from which a document or script originates.

---

How does Broadcast Channel API assist in cross-tab communication?

View Answer:

Interview Response: Broadcast Channel API allows communication between different browser contexts (like tabs, windows, iframes) in the same origin by broadcasting messages to all active channels with the same name.

Code Example:

Here's a simple example of how to use the Broadcast Channel API:

// Create a broadcast channel
let bc = new BroadcastChannel('test_channel');

// Send a message over the broadcast channel
bc.postMessage('Hello from current tab!');

// Listen for messages on the broadcast channel
bc.onmessage = function (event) {
  console.log('Received message: ' + event.data);
};

In this code, a new BroadcastChannel object is created named 'test_channel'. The postMessage method sends a message to all tabs listening to 'test_channel'. The onmessage handler logs any message received from the channel. Any tab that wants to communicate over this channel would use the same channel name 'test_channel'.

---

What is the role of event listeners in cross-window communication?

View Answer:

Interview Response: Event listeners enable the receiving side in cross-window communication to react to events such as messages from `postMessage`, `storage` events for localStorage changes, or messages from a `BroadcastChannel`.

Code Example: This is a simple example to give you a general explanation of the code.

Sender:

window.postMessage("Hello, JavaScript!", "*");

The * in the postMessage() method indicates that the message should be sent to all windows, regardless of their origin.

Receiver:

// This function will be called when a message is received.
function handleMessage(event) {
  console.log("Received message from: " + event.origin);
  console.log("Message Data: " + event.data); // Message Data: Hello, JavaScript!
}

// Listen for messages from other windows.
window.addEventListener("message", handleMessage);

---

What is a MessageEvent in the context of 'postMessage'?

View Answer:

Interview Response: In the context of `postMessage`, a MessageEvent is an event fired when a message is received, containing data sent from the other window, its origin, and a reference to the source.

Code Example:

const event = new MessageEvent('message', {
  data: 'This is a message',
  origin: 'https://example.com',
  source: window.top
});

---

How can we prevent data leakage in cross-window communication?

View Answer:

Interview Response: Data leakage can be prevented by using the Same Origin Policy, validating message origin and data in `postMessage`, employing secure contexts (HTTPS), and mitigating against XSS and CSRF attacks.

---

What is 'window.opener' in JavaScript?

View Answer:

Interview Response: In JavaScript, `window.opener` is a reference to the window that opened the current window or tab, typically via the `window.open` method. It's `null` for windows not opened by script.

Code Example:

<!DOCTYPE html>
<html>
<body>

<h1>The Window Object</h1>
<h2>The opener Property</h2>

<p id="test">Click the Button</p>

<button onclick="myFunction()">Try it</button>

<script>
function myFunction() {
  const myWindow = window.open("", "", "width=600,height=600");
  // target the opener using the window.opener property
  myWindow.opener.document.getElementById("test").innerHTML = "Hello, JavaScript!";
}
</script>

</body>
</html>

---

How does SharedWorker aid in cross-window communication?

View Answer:

Interview Response: SharedWorker allows multiple browser contexts (like tabs, windows, iframes) to share the same worker context and communicate with it, enabling data sharing and computation offloading.

Code Example:

Here's a simple example of using a SharedWorker:

SharedWorker script (mySharedWorker.js):

self.onconnect = function(e) {
  const port = e.ports[0];
  port.onmessage = function(e) {
    console.log("Message received from main script: " + e.data);
    port.postMessage("Hello back from SharedWorker");
  }
}

Main script (in your HTML file):

if (window.SharedWorker) {
  let myWorker = new SharedWorker('mySharedWorker.js');

  myWorker.port.start();

  myWorker.port.postMessage("Hello from main script");
  myWorker.port.onmessage = function(e) {
    console.log("Message received from SharedWorker: " + e.data);
  }
}

In this code, the SharedWorker script listens for connection events and messages. The main script creates the SharedWorker, sends a message to it, and listens for messages back from it.

---

What does 'browsing context' mean in JavaScript?

View Answer:

Interview Response: In JavaScript, a 'browsing context' is an environment in which documents are presented to the user. It includes windows, tabs, iframes, or other embedded documents in a webpage.

---

Can we use WebSocket for cross-window communication?

View Answer:

Interview Response: Yes, WebSocket can be used for cross-window communication. All tabs can connect to the same WebSocket server and exchange real-time messages, even with different origins.

Code Example:

let ws;

function connect() {
  ws = new WebSocket("ws://localhost:8080/");
  ws.onopen = function() {
    console.log("Connection opened");
  };
  ws.onmessage = function(event) {
    console.log(event.data);
  };
}

function sendMessage() {
  ws.send("Hello from window 1");
}

---

What is Cross-Document Messaging?

View Answer:

Interview Response: Cross-Document Messaging is a mechanism that allows documents to communicate with each other regardless of their source domain, using the `postMessage` method for safe cross-origin communication.

---

What are the potential issues with using 'localStorage' for cross-window communication?

View Answer:

Interview Response: Potential issues include: lack of real-time updates without `storage` event listeners, size limitations, synchronous API can block main thread, potential for data conflicts, and not secure for sensitive data.

---

Can Service Workers be used for cross-window communication?

View Answer:

Interview Response: Yes, Service Workers can be used for cross-window communication. They act as a proxy, receiving and relaying messages between different browser contexts, including multiple windows or tabs.

Code Example:

Here's a simple example of using Service Workers for cross-window communication.

1. Register the service worker:

if ('serviceWorker' in navigator) {
  navigator.serviceWorker.register('/service-worker.js')
  .then(function() {
    console.log('Service Worker Registered');
  });
}

2. Implement the message receiver in service-worker.js:

self.addEventListener('message', function(event){
  clients.matchAll().then(clients => {
    clients.forEach(client => {
        client.postMessage(event.data);
    })
  })
});

3. Send a message to the service worker:

navigator.serviceWorker.controller.postMessage('Hello from page!');

4. Implement the message receiver on the page:

navigator.serviceWorker.onmessage = function(event) {
  console.log('Received a message from service worker: ', event.data);
};

In this example, when a message is posted to the service worker, it's relayed to all connected clients. Each client that has a message handler setup (navigator.serviceWorker.onmessage) will then log the message.

---

What is the Channel Messaging API?

View Answer:

Interview Response: The Channel Messaging API allows for communication between different contexts (like different tabs, iframes, or workers) in the same origin. It uses two-way channels with a port at each end to send messages.

Code Example:

Here's a simple example of using the Channel Messaging API for cross-window communication.

1. The first window creates a message channel and sends one port to the second window using window.postMessage:

// Create a channel
var channel = new MessageChannel();

// Send port2 to the other window
otherWindow.postMessage('Hello from first window', '*', [channel.port2]);

// Listen for messages on port1
channel.port1.onmessage = function(event) {
  console.log('Received:', event.data);
};

2. The second window receives the message channel port and uses it to send a message back to the first window:

window.addEventListener('message', function(event) {
  // Check the origin of the message
  if (event.origin !== 'http://your-expected-origin.com') return;

  // Use the received port to send a message back
  event.ports[0].postMessage('Hello from second window');
});

In this example, the first window sends a message channel port to the second window. The second window then uses this port to send a message back to the first window. This provides a way for the two windows to communicate directly.

---