Feature request: allow subdomains of childOrigin

[scottanderson42]

In #73, the ability to allow any child origin was added via '*'. We'd like to do the same thing, but with the restriction of only allowing subdomains of the original child origin as a safer alternative. We can sometimes redirect to a subdomain for certain customer configurations.

Proposed change: if the configured childOrigin domain begins with ., treat subdomains as equivalent.

[Aaronius]

Thanks for logging this. I don't think supporting this securely is very straightforward since Penpal is limited by the underlying postMessage browser API. When using postMessage, the target origin needs to be specified as * or a specific origin.

In the scenario you're describing, the parent would need to know the child's specific subdomain in order to securely connect to the child. I'll keep thinking about this. I'm open to ideas.

[nqustein]

Would there be any interest in implementing this by using the referrer URL and doing some manual parsing?

[Aaronius]

I actually have an implementation on the workers branch that supports a regex or string for both parentOrigin (when connecting from child to parent) and childOrigin (when connecting from parent to a child). That branch also includes support for workers (instead of just iframes) and transferables. It's not quite ready to release though. I think the main thing remaining is getting the types straightened out, particularly for the transferables support.

If you want to try it out, give it spin! I can also publish a pre-release version to npm if that would help.

[lpellegr]

@Aaronius kindly ping. Any progress?

[Aaronius]

Hi @lpellegr. No progress since my last message. I do want to get the new version released this winter, but I can't promise anything.

[lpellegr]

@Aaronius Thank you for the information!

This library is absolutely fantastic—you’ve done an incredible job. I truly appreciate your efforts. Keep up the great work! I’m excited to try out the new version once it’s released.