

otherWindow.postMessage(message, targetOrigin, [transfer]);

The dispatched event


window.addEventListener("message", receiveMessage, false);

function receiveMessage(event)
var origin = event.origin || event.originalEvent.origin; // For Chrome, the origin property is in the event.originalEvent object.
if (origin !== "http://example.org:8080")
return; // ...



Security concerns






* In window A's scripts, with A being on <http://example.com:8080>:
*/ var popup = window.open(...popup details...); // When the popup has fully loaded, if not blocked by a popup blocker: // This does nothing, assuming the window hasn't changed its location.
popup.postMessage("The user is 'bob' and the password is 'secret'",
"https://secure.example.net"); // This will successfully queue a message to be sent to the popup, assuming
// the window hasn't changed its location.
popup.postMessage("hello there!", "http://example.org"); function receiveMessage(event)
// Do we trust the sender of this message? (might be
// different from what we originally opened, for example).
if (event.origin !== "http://example.org")
return; // event.source is popup
// event.data is "hi there yourself! the secret response is: rheeeeet!"
window.addEventListener("message", receiveMessage, false);
* In the popup's scripts, running on <http://example.org>:
*/ // Called sometime after postMessage is called
function receiveMessage(event)
// Do we trust the sender of this message?
if (event.origin !== "http://example.com:8080")
return; // event.source is window.opener
// event.data is "hello there!" // Assuming you've verified the origin of the received message (which
// you must do in any case), a convenient idiom for replying to a
// message is to call postMessage on event.source and provide
// event.origin as the targetOrigin.
event.source.postMessage("hi there yourself! the secret response " +
"is: rheeeeet!",
} window.addEventListener("message", receiveMessage, false);







For IDN host names only, the value of the origin property is not consistently Unicode or punycode; for greatest compatibility check for both the IDN and punycode values when using this property if you expect messages from IDN sites. This value will eventually be consistently IDN, but for now you should handle both IDN and punycode forms.

The value of the origin property when the sending window contains a javascript: or data:URL is the origin of the script that loaded the URL.

Using window.postMessage in extensions

window.postMessage is available to JavaScript running in chrome code (e.g., in extensions and privileged code), but the source property of the dispatched event is always null as a security restriction. (The other properties have their expected values.) The targetOrigin argument for a message sent to a window located at a chrome: URL is currently misinterpreted such that the only value which will result in a message being sent is "*". Since this value is unsafe when the target window can be navigated elsewhere by a malicious site, it is recommended thatpostMessage not be used to communicate with chrome: pages for now; use a different method (such as a query string when the window is opened) to communicate with chrome windows. Lastly, posting a message to a page at a file: URL currently requires that the targetOriginargument be "*"file:// cannot be used as a security restriction; this restriction may be modified in the future.

Browser compatibility

Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari (WebKit)
Basic support 1.0 6.0 (6.0)[1]
8.0 (8.0)[2]
9.5 4.0
transferargument ? 20.0 (20.0) Not supported ? ?

[1] Prior to Gecko 6.0 (Firefox 6.0 / Thunderbird 6.0 / SeaMonkey 2.3), the message parameter must be a string. Starting in Gecko 6.0 (Firefox 6.0 / Thunderbird 6.0 / SeaMonkey 2.3), themessage parameter is serialized using the structured clone algorithm. This means you can pass a broad variety of data objects safely to the destination window without having to serialize them yourself.

[2] Gecko 8.0 introduced support for sending File and FileList objects between windows. This is only allowed if the recipient's principal is contained within the sender's principal for security reasons.

[3] IE8 and IE9 only support it for <frame> and <iframe>.

[4] IE10 has important limitations: see this article for details.


  1. Intent属性详解一 component属性
  2. tomcat-maven-plugin
  3. 最短路径问题的Dijkstra和SPFA算法总结
  4. Android Bundle
  5. Interlocked.CompareExchange
  6. Task 实现多线程的模板
  7. JS使用ActiveXObject读取数据库代码示例(只支持IE)
  8. 【20160924】GOCVHelper 图像增强部分(1)
  9. 提交jar作业到spark上运行
  10. iOS 类管理
  11. Git客户端使用
  12. node.js 下依赖Express 实现post 4种方式提交参数
  13. JavaScript(第三十二天)【Ajax】
  14. Spring Cloud Eureka 你还在让它裸奔吗??
  15. Observable详解
  16. vue2 设置网页title的问题
  17. Centos7环境下etcd集群的搭建
  18. 使用RecyclerView实现聊天界面
  19. Android下的几种时间格式转换
  20. Linux记录-重启后磁盘丢失问题解决方案


  1. IntelliJ IDEA导入包的顺序调整和按包类型分类(保持和Eclipse一致)
  2. hdu5384
  3. iOS开发 使用Cocoapods管理第三方类库
  4. python matplotlib 绘图 和 dpi对应关系
  5. 高仿QQ6.0側滑菜单之滑动优化(二)
  6. 指针初始化为NULL的作用
  7. codeforces 570 D. Tree Requests 树状数组+dfs搜索序
  8. Java与设计模式-责任链模式
  9. Leetcode_num2_Maximum Depth of Binary Tree
  10. aapt命令获取apk具体信息(包名、版本号号、版本号名称、兼容api级别、启动Activity等)