D23568: Call window.postMessage with targetOrigin

fvogt added a comment. In D23568#522065 , @broulik wrote: > What we could also do which I just realized is that we could send a `CustomEvent` to the `window` instead of using `postMessage` > Basically what we did before except without a wrappe

D23568: Call window.postMessage with targetOrigin

broulik added a comment. What we could also do which I just realized is that we could send a `CustomEvent` to the `window` instead of using `postMessage` Basically what we did before except without a wrapper `div` as `window` seems to be the same in both content script and website. REPOSIT

D23568: Call window.postMessage with targetOrigin

broulik added a comment. Further down it says > It is not possible for content or web context scripts to specify a targetOrigin to communicate directly with an extension (either the background script or a content script). REPOSITORY R856 Plasma Browser Integration REVISION DETAIL h

D23568: Call window.postMessage with targetOrigin

fvogt added a comment. > Always provide a specific targetOrigin, not *, if you know where the other window's document should be located. Failing to provide a specific target discloses the data you send to any interested malicious site. I wonder whether that is relevant to us? REPOSITORY

D23568: Call window.postMessage with targetOrigin

broulik created this revision. broulik added reviewers: Plasma, ognarb, fvogt, davidedmundson. Herald added a project: Plasma. Herald added a subscriber: plasma-devel. broulik requested review of this revision. REVISION SUMMARY According to documentation [1] `targetOrigin` is a required argument