Yes, you can identify the IFRAME which did the postMessage
. There are different situations:
the source IFRAME has the same-origin URL (e.g. http://example.com/
) as the Window which receives the message: the IFRAME is identified using
myIFRAME.contentWindow == event.source
the source IFRAME has a same-origin but relative URL (e.g. /myApp/myPage.html
) to the parent HTML page: the IFRAME is identified using
myIFRAME.contentWindow == event.source.parent
the source IFRAME has a cross-origin URL (e.g. http://example.com/
) different of the page which receives the message (e.g http://example.org/
): the above methods do not work (the comparison is always false
and accessing properties of event.source
lead to Access Denied
errors) and the IFRAME must be identified based on its origin domain;
myIFRAME.src.indexOf(event.origin)==0
In order to manage these three different situations, I'm using the following:
var sourceFrame = null; // this is the IFRAME which send the postMessage
var myFrames = document.getElementsByTagName("IFRAME");
var eventSource = event.source; // event is the event raised by the postMessage
var eventOrigin = event.origin; // origin domain, e.g. http://example.com
// detect the source for IFRAMEs with same-origin URL
for (var i=0; i<myFrames.length; i++) {
var f = myFrames[i];
if (f.contentWindow==eventSource || // for absolute URLs
f.contentWindow==eventSource.parent) { // for relative URLs
sourceFrame = f;
break;
}
}
// detect the source for IFRAMEs with cross-origin URL (because accessing/comparing event.source properties is not allowed for cross-origin URL)
if (sourceFrame==null) {
for (var i=0; i<myFrames.length; i++) {
if (myFrames[i].src.indexOf(eventOrigin)==0) {
sourceFrame = myFrames[i];
break;
}
}
}
For cross-domain URLs, note that we cannot differentiate the true source if event.origin
is a domain common to more than one IFRAMEs.
Some people use ===
instead of ==
but I did not found any difference in this context, so I'm using the shortest comparator.
This implementation has been tested and works under:
As an alternative (suggested by Griffin), you could use a IFRAME src with an unique idenfitier (e.g. timestamp), and the IFRAME'd web application will send back the this unique identifier in the posted messages. While the IFRAME identification would be simpler, this approach requires to modify the IFRAME'd web application (which is not always possible). This also may lead to security issues (e.g. the IFRAME'd web application tries to guess the unique identifier of other IFRAMEs applications).
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…