Hacker News new | past | comments | ask | show | jobs | submit login

The only way for a worker to communicate with the rest of the browser context is by using the `postMessage` method. The host code has to listen and respond via the `onmessage` handler, so the worker is unable to do anything that you don't explicitly implement in your `onmessage` handler.

You still have to make sure the API you expose to the user plugins aren't exploitable.




Thank you for the explanation, I was not familiar with this method, it looks interesting, a tradeoff between flexibility and safety vs iframe.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: