Cross-document messaging hack

The Dojo and Windows Live Platform teams have both recently released DHTML hacks that allow two iframes in different domains to communicate, bypassing the notorious same-domain policy implemented in browsers. I'm surprised by the relative lack of response in the AJAX blogosphere, as this opens lots of possibilities for mashups.

The basics:

The hack relies on dynamically created iframes, using the fragment identifier to leak/communicate information to the other domain and timers to check for iframe changes.

For example, if you have page A containing an iframe B in a different domain, then B can create a new iframe and load it with a url in the same domain as A.
The url that is loaded doesn't generate a request to the server if it is properly cached and only the fragment identifier is used to pass changing information. Page A can now get the DOM handle on the new iframe and successfully retrieve the information transmitted in the url by B.

Although the hack goes around the same domain policy, you should realize that it does not constitute a significant security threat, as it requires both frames to cooperate. Additionally, this mechanism allows for control of which domains can work together.

The technique still needs to be perfected, as it has some inconvenient side effects in some browsers (clicking noise, throbber behavior). But it's functional enough for some experimentation with new kinds of mashups, until browsers start supporting some proper APIs to do the dirty work.
Already, Opera 8 supports the cross-document messaging API (postMessage) drafted by the WHAT working group.

(By the way, Opera 9 also adds support another feature from that spec: server-side events.)

The applications:

Dojo uses this technique to expose some pretty generic functionality, allowing to open up web APIs to cross-domain requests (

Windows Live goes into a more specific proof of concept, with the Windows Live Contacts Gadget, an embeddable contact picker. It explores the problem of cross-domain interactions deeper than the Dojo work, specifically around authentication, access control and privacy.

An interesting aspect of the Contacts Gadget is that it gives access to Passport protected information while keeping the integration extremely lightweight and not requiring any deep relationship with Microsoft (which is not quite the case for Passport itself).

Now, the question is what cool applications will you build with this new cross-domain capability?

Update (2007/04/07): I noticed a descriptive name for this hack, mentioned on James Burke's blog: "fragment identifier messaging (FIM) with IFrames".

Update (2008/02/18): The cross-messaging API, postMessage, is now available in Firefox 3 as of beta 3.

Posted by Julien on September 18, 2006. Permalink
comments powered by Disqus

I think this is the same as Atlas' IFrameExecutor.

Posted by: Bertrand Le Roy at September 19, 2006 01:34 PM