The postMessage API can provide confidentiality if challenge-response is used. (Thanks to Jeff Walden for the idea.) Because implementing confidentiality is tedious and error-prone, we recommend built-in support for confidentiality in postMessage.
Update 12 February 2008: Our proposal has been accepted into the HTML 5 specification.
postMessage2(frames, message, "theory.stanford.edu");