Is this a bad practice? #214
Comments
|
following |
|
This is very much valid, since the PostMessage API is mature and even used by payment processors such as Klarna and Stripe, however, this approach does remove the ability to be able to use secure cookies, so I would be careful when using this for authentication or sessions. If you do use it for that, make sure that you don't have any unprotected inputs or script execution, since any script injected could steal the cookie details. Considering there's an upcoming fork of this lib, might want to check it out. And also consider setting a Content-Security-Policy header. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What Is the issue?
I'm doing a workaround for the new privacy policies on Safari and Brave for my injectable chat widget. I need access and set cookies for my chat app, so I decided to go with this.
The child expose this methods to the parent
Then, on the parent I create this handlers
This way I can get/set cookies on the parent from the child using a promise approach.
Example:
const cookie = await connection.sendMessage({ event: 'get-cookie', payload: { cname: 'cookie-name' } });
await connection.sendMessage({ event: 'set-cookie', payload: { cname: 'cookie-name', cvalue: cookieValue, exdays: expirationTime }})
The text was updated successfully, but these errors were encountered: