Is this a bad practice?

[EmanuelAguilar74]

What Is the issue?

I'm doing a workaround for the new privacy policies on Safari and Brave for my injectable chat widget. I need access and set cookies for my chat app, so I decided to go with this.

The child expose this methods to the parent

Then, on the parent I create this handlers

This way I can get/set cookies on the parent from the child using a promise approach.
Example:
const cookie = await connection.sendMessage({ event: 'get-cookie', payload: { cname: 'cookie-name' } });

await connection.sendMessage({ event: 'set-cookie', payload: { cname: 'cookie-name', cvalue: cookieValue, exdays: expirationTime }})

[kovacs]

following

[tmikaeld]

This is very much valid, since the PostMessage API is mature and even used by payment processors such as Klarna and Stripe, however, this approach does remove the ability to be able to use secure cookies, so I would be careful when using this for authentication or sessions. If you do use it for that, make sure that you don't have any unprotected inputs or script execution, since any script injected could steal the cookie details.

Considering there's an upcoming fork of this lib, might want to check it out.

And also consider setting a Content-Security-Policy header.