What Does Document.Domain = Document.Domain Do

What does document.domain = document.domain do?

I actually wrote this code.

When trying to do cross-subdomain/port comet, the iframe needs to have the same document.domain value as the parent frame. Unfortunately, the browser stores the domain name AND port internally for the original document.domain value. But the getter and setter in javascript knows nothing about the port. So the problem is this: if the top frame document.domain is ('example.com', 80), and the bottom frame is ('comet.example.com', 80), how do you get the bottom frame to be ('example.com', 80) as well?

You can't, as changing the hostname portion will necessarily cause the port to be set to null, so the best you can do is ('example.com', null) in the bottom frame. So the top frame also needs to be set to that value, and setting document.domain=document.domain does just that. It changes the internal representation in the browser from ('example.com', 80) to ('example.com', null) and then everything matches up and cross-port/subdomain frame communication works.

Javascript: Difference between location.hostname and document.domain?

It seems that document.domain is a read only property, except in Mozilla, which lets you change the value of the domain that is used for the same origin policy of (for example) AJAX requests without actually updating the page.

The restrictions on this are the same rules of the Same Origin Policy.

At least this is my understanding of the MDC docs for document.domain.

From the docs:

Gets/sets the domain portion of the origin of the current document, as used by the same origin policy.

...

In the DOM HTML specification, this property is listed as being read-only. However, Mozilla will let you set it to a superdomain of the current value, constrained by its base domain. For example, on developer.mozilla.org it is possible to set it to "mozilla.org" but not "mozilla.com" or "org".

Try updating document.domain and window.location.hostname to a new value in the console, and see the difference.

Can document.domain include port number?

No. The document.domain includes only the host name.

document.domain

Gets/sets the domain portion of the origin of the current document, as used by the same origin policy.

Alternatively, location.port gets you the port of the domain.

Why doesn't setting document.domain work to allow AJAX requests to a parent domain?

The document.domain mechanism is intended for allowing client-side communication between frames, rather than client-to-server communication. If you have one frame containing a page from example.com and another frame containing a page from foo.example.com then the two cannot access each other's DOM unless the latter sets document.domain to example.com as you showed in your example.

The modern preferred mechanism for cross-domain AJAX requests is Cross-Origin Resource Sharing, or "CORS". This mechanism involves having the target resource return a special HTTP response header that indicates that cross-domain requests are allowed. In your scenario you'd make your test3.php return the following HTTP response header:

Access-Control-Allow-Origin: sub.domain.com

In PHP you'd do this as follows:

header("Access-Control-Allow-Origin: sub.domain.com");

You can also set this header value to just * in order to allow cross-domain requests from any origin, but be aware that this will allow requests from sites you don't control.

Requests from client-side JavaScript libraries often also include the additional header X-Requested-With that is not in the standard set allowed by CORS, so it may be necessary to explicitly allow this header via an additional response header:

Access-Control-Allow-Headers: X-Requested-With

CORS is only supported in modern browsers. For older browsers the common convention is to use JSON-P, which is a trick exploiting the fact that a page on one server is able to load and execute a script file from another server. This technique requires that the target resource be a valid JavaScript program that calls a function in the page, so it's not as elegant and seamless as CORS but it should work in any browser that supports JavaScript.

document.domain is the same yet still getting same-origin errors

Your issue is not domain or host. Your issue is protocol

You cannot set document.domain across protocols

http and https are NOT the same origin due to protocol, just like example.com:80 is NOT the same origin as example.com:8080 due to ports.

There are VERY good security reasons to not be allowed to mix http and https

Please read https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

Changing document.domain to completely other domain

Check out : developer.mozilla.org/same-origin-policy

Here is an excerpt from the site:

There is one exception to the same
origin rule. A script can set the
value of document.domain to a suffix
of the current domain. If it does so,
the shorter domain is used for
subsequent origin checks. For example,
assume a script in the document at
http://store.company.com/dir/other.html
executes the following statement:

document.domain = "company.com";

After
that statement executes, the page
would pass the origin check with
http://company.com/dir/page.html.
However, by the same reasoning,
company.com could not set
document.domain to othercompany.com.

---

Related Topics