postMessage()
postMessage()
afterpay.js utilizes the HTML postMessage()
API to exchange information between the Clearpay checkout popup and the page that spawned it, allowing Javascript code running on different origins to communicate with each other in a bidirectional manner.
This bidirectional communication allows a merchant to dynamically update shipping options and transaction information based on a chosen shipping address.
afterpay.js hides this complexity and ensures a secure environment by restricting the use of postMessage()
- Clearpay’s checkout window only receives messages from the merchant window, and vice versa
- Correctly handles multiple concurrent, and possibly out-of-order requests
- Message data is validated and sanitized
Using postMessage()
in this way is considered very secure. For more information please refer to the specification.