The Same Origin Policy Documentation says this:
There is one exception to the same origin rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http://store.company.com/dir/other.html executes the following statement:
document.domain = "company.com";
After that statement executes, the page would pass the origin check with http://company.com/dir/page.html. However, by the same reasoning, company.com could not set document.domain to othercompany.com.
Do all popular browsers support this? If not, which ones don't?
The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.
The Basics of the Same-Origin Policy One such restriction is that scrips executing on http://example.com are not allowed to access resources on http://subdomain.example.com . Restrictions are applied based on the document's origin where an origin is defined in RFC 6454 Section 4.
allow-same-origin allows the document to maintain its origin; pages loaded from https://example.com/ will retain access to that origin's data. allow-scripts allows JavaScript execution, and also allows features to trigger automatically (as they'd be trivial to implement via JavaScript).
No. The document. domain includes only the host name.
Firefox 2,3, IE6,7,8, Chrome, and Safari 2 and 3, Opera 9 all support document.domain;
Other "newer" browsers likely will as well, however those are the ones that I've actually tested my code (which makes use of document.domain)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With