The postMessage API can provide confidentiality if challenge-response is used. (Thanks to Jeff Walden for the idea.) Because implementing confidentiality is tedious and error-prone, we recommend built-in support for confidentiality in postMessage.

Update 12 February 2008: Our proposal has been accepted into the HTML 5 specification.

postMessage2(frames[0], message, "theory.stanford.edu");