npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@lavamoat/across

v1.1.1

Published

across

Downloads

19

Readme

Across ↔

Allowing Communication Relationship Of Scripts Securely

Across standard allows different scripts within the same web application to communicate with each other by passing messages between one another securely.

  • Test Across for yourself with this live demo!
  • Learn more about the motivation behind Across
  • Across is still experimental ⚠️ - your help is highly appreciated!

This capability obviously already exists (by reading/writing from/to window), however the edge Across brings is its core added values:

Core Values

Across makes sure that a message passed on from script A to script B

  1. really did come from the sender script and not any other entity.
  2. was not tampered by any other entity.
  3. was not read by any other entity.

Install

The latest across production version is included in the official repo and also in upkg cdn, so in order to install across in the website, simply place it wherever and serve it to the website as-is:

<script src="https://unpkg.com/@lavamoat/across/across.prod.js"></script>
<script>
    // apply Across by running:
    ACROSS();
</script>

Make sure this runs first - any javascript that runs before Across can easily break it from securely working!

ACROSS API can also be required as part of a bundle instead of a script tag:

yarn add @lavamoat/across
const across = require('@lavamoat/across');
across(); // remember to call Across in order for it to apply

Usage

Once you register your onmessage callback by calling the document.onmessage() API by Across, you'll get a postMessage function that can be used to send messages to other scripts within the web app:

receive message example

<script src="https://x.com/script-a.js">
  (function(){
    const postMessage = document.onmessage((src, msg) => {
        if (src !== 'htts://y.com/script-b.js') {
          console.log('message is not really from "script-b.js"');
          return;
        }
        console.log('got a message from "' + src + '" : ', msg);
    });
  }())
</script>

send message example

<script src="https://y.com/script-b.js">
  (function(){
    const postMessage = document.onmessage((src, msg) => {
      // do nothing    
    });
    setTimeout(() => {
        postMessage('https://x.com/script-a.js', 'hi A, this is B!');
    }, 30);
  }())
</script>

Due to security limitations, registering a script to send and receive messages from other scripts can only be done before DOM is loaded (that's when document.currentScript API is still relevant).

Contribute

This project is an important POC aspiring to standardize how scripts can securely communicate with each other, however it is not yet production ready:

Support

Currently across is written to support chromium based browsers only, it was never tested on anything else.

Performance

Achieving an hermetic solution costs in performance. Injecting this script into some major websites went smoothly while with some others it caused them some performance issues.

Security

Although this project takes the hermetic concept very seriously and massively tests for potential flaws, across might potentially still have flaws which might enable attackers to bypass its hooks.

Bottom line - across might have security vulnerabilities!

Tests

In order to assure security, there are many tests that verify that across is fully hermetic as promised - everything that across supports is fully tested.

The tests mainly try to bypass across in any possible way.

If you found a vulnerability in across, open a PR with a test that demonstrates it.

Help

Help with promoting any of the topics above is very much appreciated in order for this project to become production ready and reshape how browser scripts can communicate with one another!

Supporters

Funded by Consensys 💙

Maintained and developed by MetaMask 🦊

Invented and developed by Gal Weizman 👋🏻

Runs on Snow ❄️