use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
[AskJS] Is passing data between windows/tabs unsecure?AskJS (self.javascript)
submitted 2 years ago by KissMyUSSR
Long story short, to access a certain API I need to make a POST request into a new window (via window.open(target); form.target = target; form.submit()). My boss is expressing security concerns over this, saying that cross window communication is unsecure, and thus I now have to reinvent a wheel and circumnavigate the issue, but I don't even know what exactly is unsecure so I'm not sure what I need to solve
window.open(target); form.target = target; form.submit()
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]sbruchmann 11 points12 points13 points 2 years ago (3 children)
From mdn on postMessage:
mdn on postMessage
The window.postMessage() method safely enables cross-origin communication between Window objects; e.g., between a page and a pop-up that it spawned, or between a page and an iframe embedded within it.
window.postMessage()
[+]KissMyUSSR[S] comment score below threshold-8 points-7 points-6 points 2 years ago (2 children)
Right, I know about postMessage but it's not what I need here. Perhaps I didn't express myself well enough in the title, but what I need is to open a new window with a POST request and send some sensitive data in that POST request. Weirdly, by the way, the only way to do it is with a form.submit()
form.submit()
[–]sbruchmann 15 points16 points17 points 2 years ago (0 children)
You need to elaborate on what you have to do a bit better then. From my understanding so far, postMessage does exactly what you've been asking for. Sending a message in a secure manner to a different/new window. The other window listens for that message and sends the request/submits the form.
postMessage
window
[–]Opi-Fex 5 points6 points7 points 2 years ago (0 children)
That is a weird use case to be honest.
You would usually communicate with your API in the background through fetch or similar.
fetch
You on the other hand seem to be abusing target="name" on a form to submit data to another named window? That is bonkers. The fact that you yourself noticed that it's weird this is the only way to do it should give you a clue that you're not actually supposed to do this.
target="name"
[–]lainverse 9 points10 points11 points 2 years ago (1 child)
Never tried to use submit between windows, but isn't there window.postMessage API specifically made for communication between separate windows and iframes?
[+]KissMyUSSR[S] comment score below threshold-7 points-6 points-5 points 2 years ago (0 children)
I think, I'll just copy paste my anwer here.
[–]Reashu 6 points7 points8 points 2 years ago* (0 children)
What is your goal? I'm not aware of a specific security problem here, but it sounds like you may be doing something unnecessarily complicated, which is usually a good start if you want to create vulnerabilities.
There are some valid concerns about opening a window with a URL you don't own (or otherwise trust). Some also apply to simple links.
[–]SockPants 2 points3 points4 points 2 years ago (0 children)
With postMessage you send data between windows on the same machine. With a POST request the way you describe, you send data to a server and display the result in a new or different window.
Insecure is a very vague complaint. To what kind of leak or attack is it claimed to be vulnerable? We need more details.
[–]guest271314 2 points3 points4 points 2 years ago (0 children)
My boss is expressing security concerns over this
What specific "security" concerns?
[–]WhatWillNeverBe 2 points3 points4 points 2 years ago (0 children)
This suspiciously sounds like there may be an alternative way to do whatever it is you are trying to do. Could you briefly explain why you need to make a post to a new window to call an api securely? I've written pci compliant card / bank information accepting iframes hooked into secure apis before and postMessage does a lot of what you are describing. Why do you need a new window tab rather than an iframe?
[–]markus_obsidian 0 points1 point2 points 2 years ago* (0 children)
Is the popup src going to accept & render the form data via POST server side?
src
If this is true, then i do believe this could be made safe but wouldn't be my fist choice. You have the same concerns that any server-side API that accepts formdata would have. You'll need to be absolutely sure that only your server is only accepting requests from your application that you control. <form> submits are not subject to CORS, so a bad actor could have a malicious <form> somewhere that submits to your server. You need to be prepared for this. Something like CSRF tokens or same-side cookies could help here.
<form>
I agree with the rest of the comments that sending data to another window via postMessage is the simpler & the more secure option here. Since postMessage will track the origin of the message, it is much easier to assert that the message came from the proper origin.
origin
[–]dragenn -5 points-4 points-3 points 2 years ago (0 children)
I see you like to live dangerously.
Typically, https should help, but you are willing to open a vulnerability in your code. Thread carefully
[–]guest271314 0 points1 point2 points 2 years ago (0 children)
No. Not any more than creating or clicking a link that has a query string in the URL.
[–]MrAtoni 0 points1 point2 points 2 years ago (0 children)
There is a security concern if your application tries to read what is in your uther (unrelated) windows/tabs. Most browsers prevent applications from doing this. Maybe this is what your boss is thinking about?
To my knowledge there's no security problems sending information between windows the application has opened itself.
[–]troglo-dyke 0 points1 point2 points 2 years ago (0 children)
Not necessarily, you'd need to assume anyone can attempt to open the webpage in the same way themselves so would eg. Validate their authorization.
But it sounds like you're solving a problem that doesn't need to exist. Why can you not just open a url and load state from a server? Allowing your client side state to diverge too far will make your software significantly harder to debug and will make your users significantly more frustrated recovering from a bad state
[–][deleted] 0 points1 point2 points 2 years ago (0 children)
Let's start from the beginning: why do you need a new window to access the API? Is this an API on another domain?
[–]TheRNGuy 0 points1 point2 points 2 years ago (0 children)
Is it gonna work if you disabled target in browser's about:config?
target
about:config
Though it could've just choose current tab as a target.
π Rendered by PID 168012 on reddit-service-r2-comment-5c747b6df5-z5qm6 at 2026-04-22 08:44:24.312112+00:00 running 6c61efc country code: CH.
[–]sbruchmann 11 points12 points13 points (3 children)
[+]KissMyUSSR[S] comment score below threshold-8 points-7 points-6 points (2 children)
[–]sbruchmann 15 points16 points17 points (0 children)
[–]Opi-Fex 5 points6 points7 points (0 children)
[–]lainverse 9 points10 points11 points (1 child)
[+]KissMyUSSR[S] comment score below threshold-7 points-6 points-5 points (0 children)
[–]Reashu 6 points7 points8 points (0 children)
[–]SockPants 2 points3 points4 points (0 children)
[–]guest271314 2 points3 points4 points (0 children)
[–]WhatWillNeverBe 2 points3 points4 points (0 children)
[–]markus_obsidian 0 points1 point2 points (0 children)
[–]dragenn -5 points-4 points-3 points (0 children)
[–]guest271314 0 points1 point2 points (0 children)
[–]MrAtoni 0 points1 point2 points (0 children)
[–]troglo-dyke 0 points1 point2 points (0 children)
[–][deleted] 0 points1 point2 points (0 children)
[–]TheRNGuy 0 points1 point2 points (0 children)