window.postMessage is a method for safely enabling cross-origin communication.

Normally, scripts on different pages are only allowed to access each other if and only if the pages which executed them are at locations with the same protocol (usually both http), port number (80 being the default for http), and host (modulo document.domain being set by both pages to the same value).window.postMessage provides a controlled mechanism to circumvent this restriction in a way which is secure when properly used.

[Syntax]
The Window can send message to otherWindow by the following method call

otherWindow.postMessage(message, targetOrigin);
otherWindow
A reference to another window; such a reference may be obtained, for example, using the contentWindow property of an iframe element, the object returned by window.open, or by named or numeric index on window.frames.

targetOrigin
Specifies what the origin of otherWindow must be for the event to be dispatched, either as the literal string "*" (indicating no preference) or as a URI. If at the time the event is scheduled to be dispatched the scheme, hostname, or port of otherWindow's document does not match that provided in targetOrigin, the event will not be dispatched; only if all three match will the event be dispatched. This mechanism provides control over where messages are sent; for example, if postMessage were used to transmit a password, it would be absolutely critical that this argument be a URI whose origin is the same as the intended receiver of the message containing the password, to prevent interception of the password by a malicious third party.
[The dispatched event]

otherWindow can listen for dispatched messages by executing the following JavaScript:

window.addEventListener("message", receiveMessage, false);function receiveMessage(event){  if (event.origin !== "http://example.org:8080")    return;  // ...}In the code outlined, the most important thing is the event obj, which contains the messageand some necessary attributes for safetyevent has following attributes:data      A string holding the message passed from the other window.
origin
The origin of the window that sent the message at the time postMessage was called. This string is the concatenation of the protocol and "://", the host name if one exists, and ":" followed by a port number if a port is present and differs from the default port for the given protocol. Examples of typical origins are https://example.org (implying port 443), http://example.net (implying port 80), and http://example.com:8080. Note that this origin is not guaranteed to be the current or future origin of that window, which might have been navigated to a different location since postMessage was called.
source
A reference to the window object that sent the message; you can use this to establish two-way communication between two windows with different origins.
[About the security concerns, after all you are on the internet]
If you do not expect to receive messages from other sites, you should not add any event listeners for message events. This is a completely foolproof way to avoid security problems.

If you do expect to receive messages from other sites, always verify the sender's identity using the origin and possibly source properties. Any window (including, for example, http://evil.example.com) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. Otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site.

from: