JavaScript Security: Same Origin (original) (raw)
The Same Origin Policy
Page Maintained by Jesse Ruderman
The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin. The policy dates from Netscape Navigator 2.0.
Mozilla considers two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. To illustrate, this table gives examples of origin comparisons to the URL http://store.company.com/dir/page.html.
| URL | Outcome | Reason |
|---|---|---|
| http://store.company.com/dir2/other.html | Success | |
| http://store.company.com/dir/inner/another.html | Success | |
| https://store.company.com/secure.html | Failure | Different protocol |
| http://store.company.com:81/dir/etc.html | Failure | Different port |
| http://news.company.com/dir/other.html | Failure | Different host |
There is one exception to the same origin rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http://store.company.com/dir/other.htmlexecutes this statement:
document.domain = "company.com";
After execution of that statement, the page would pass the origin check with
http://company.com/dir/page.html
.
However, using the same reasoning, company.com could NOT set document.domain to othercompany.com.