Isn't this a huge security hole?

[Bilge]

It seems to me that anyone deploying the "magic iframe" onto their site allows anyone to read their local storage for that site. If that's the case, and no means of mitigation are provided, at the very least this should be expressed clearly at the top of the readme in large lettering to make users aware of the security implications of deploying this code.

[ofirdagan]

Not sure I understand the "security implications" that you're talking about. Can u please describe a possible exploit?
The localStorage is saved on the client's machine. It's not accessible from other devices. The purpose of the "magic iframe" is to serve as a bridge between the two domains but on for the same client.

[ofirdagan]

I think that I see what you're talking about,. In case someone uses iframe X and then a malicious site uses this lib to read iframe X's localstorage. I guess it's fixable by limiting the onMessage to a known domain only. WDYT?

[Bilge]

I'm pretty sure that's exactly what has been proposed before such as in #17 and #19.

[ofirdagan]

Unfortunately #19 was never merged :/

[Bilge]

As I can see. Why not?

[ofirdagan]

there were missing tests and conflicts that were not fixed.

[Bilge]

Sometimes it's a good idea to work together on a PR instead of just demanding the author to make all the changes you want.

[ofirdagan]

I agree