
Show HN: AcrossTabs – Easy communication between cross-origin browser tabs - softvar
https://github.com/wingify/across-tabs
======
mnarayan01
Looks like a nice library, though using a default of `*` for Origin seems like
an invitation for people to shoot themselves in the foot.

~~~
softvar
Yea, that's totally true. I would recommend using an origin property to be
used every time an instance of the Library is created. Please refer:
[https://github.com/wingify/across-
tabs#usage](https://github.com/wingify/across-tabs#usage)

~~~
detaro
Then don't have a default that works without doing so. Really, defaults like
this lead to "works, ship it" and totally unnecessary cases of vulnerable
software.

~~~
softvar
Does that mean, the library should not act when an origin is not specified and
throw some kinda message in the console?

~~~
tokenizerrr
Yes, a required argument. It's not uncommon. Think API keys.

------
tiplus
I was puzzled when I first saw cross tab communication in impress.js for their
slide control tab (slid.es) and I am still wondering about the proper use case
of this feature today. Isn't this a security nightmare?

~~~
tyingq
It maps back to window.postMessage. There's a security concerns section on
Mozilla's docs: [https://developer.mozilla.org/en-
US/docs/Web/API/Window/post...](https://developer.mozilla.org/en-
US/docs/Web/API/Window/postMessage)

All boils down the sender using a specific target, and the receiver
remembering to check the origin.

------
martin-adams
I think I understand what this does, but I don't think I understand the use
case. Does anyone have any real-world examples of where this helps?

~~~
seibelj
We had this exact problem before, we had a single-page-app console for sales
agents and they would open up a lot of tabs, one for each conversation. If we
didn't sync between the tabs, a lot of alerts and whatnot would have been
duplicated.

~~~
tokenizerrr
Is that cross origin though?

------
zspitzer
Chrome and Firefox support BroadcastChannel

[https://developers.google.com/web/updates/2016/09/broadcastc...](https://developers.google.com/web/updates/2016/09/broadcastchannel)

[https://developer.mozilla.org/en-
US/docs/Web/API/BroadcastCh...](https://developer.mozilla.org/en-
US/docs/Web/API/BroadcastChannel)

~~~
gauravmuk
this works for same origin only.

------
ggaahh
This is great. I found this pattern very useful when communicating with
iframes. I wrote a similar library a while back.

[https://github.com/taylorhakes/postmessage-
plus](https://github.com/taylorhakes/postmessage-plus)

------
ssalka
I had something very similar to this in my backlog, as a weekend project. Glad
to see someone else beat me to it - saves me time in both implementation and
maintenance! I look forward to trying it out

~~~
softvar
Glad to help!

