One of the customers wants to open their Order Management application (hosted in the customer domain) in an iFrame within the Title details page by passing the parameters like customer_id. We found a solution to construct the URL by replacing the placeholder with actual values while rendering the custom app on the Ticket details page.
The customer wants to understand whether our custom application can listen to the window message event from their website, read the data, and perform some actions within the custom app. If so, are there any security concerns about receiving messages from other sites?
Let me know how to enable this communication in the custom app and any security concerns
The app being rendered is in itself an iframe and I don’t think you can communicate with external embedded site in a real-time fashion directly until you have something like a realtime webhook exposed by them.
But, one solution which I could think around is to use something like firebase real-time database triggers. With a solution like this, you can make both of your applications utilise this & facilitate communication. Again, this may not the best solution you’d be looking for. Still, check if it helps.
This solution may meet the requirement but requires additional service and effort. I was looking for a simple solution that supports cross-origin communication.
Window.postMessage() method is one of the traditional ways of communicating across Browser Tabs, Popups, and Iframes, but needs to open the iFrame application using a window.open() and needs to maintain a window object.