What does document.domain = document.domain do?
I actually wrote this code.
When trying to do cross-subdomain/port comet, the iframe needs to have the same document.domain
value as the parent frame. Unfortunately, the browser stores the domain name AND port internally for the original document.domain
value. But the getter and setter in javascript knows nothing about the port. So the problem is this: if the top frame document.domain
is ('example.com', 80)
, and the bottom frame is ('comet.example.com', 80)
, how do you get the bottom frame to be ('example.com', 80)
as well?
You can't, as changing the hostname portion will necessarily cause the port to be set to null
, so the best you can do is ('example.com', null)
in the bottom frame. So the top frame also needs to be set to that value, and setting document.domain=document.domain
does just that. It changes the internal representation in the browser from ('example.com', 80)
to ('example.com', null)
and then everything matches up and cross-port/subdomain frame communication works.
Javascript: Difference between location.hostname and document.domain?
It seems that document.domain
is a read only property, except in Mozilla, which lets you change the value of the domain that is used for the same origin policy of (for example) AJAX requests without actually updating the page.
The restrictions on this are the same rules of the Same Origin Policy.
At least this is my understanding of the MDC docs for document.domain
.
From the docs:
Gets/sets the domain portion of the origin of the current document, as used by the same origin policy.
...
In the DOM HTML specification, this property is listed as being read-only. However, Mozilla will let you set it to a superdomain of the current value, constrained by its base domain. For example, on developer.mozilla.org it is possible to set it to "mozilla.org" but not "mozilla.com" or "org".
Try updating document.domain
and window.location.hostname
to a new value in the console, and see the difference.
Can document.domain include port number?
No. The document.domain
includes only the host name.
document.domain
Gets/sets the domain portion of the origin of the current document, as used by the same origin policy.
Alternatively, location.port
gets you the port of the domain.
Why doesn't setting document.domain work to allow AJAX requests to a parent domain?
The document.domain
mechanism is intended for allowing client-side communication between frames, rather than client-to-server communication. If you have one frame containing a page from example.com
and another frame containing a page from foo.example.com
then the two cannot access each other's DOM unless the latter sets document.domain
to example.com
as you showed in your example.
The modern preferred mechanism for cross-domain AJAX requests is Cross-Origin Resource Sharing, or "CORS". This mechanism involves having the target resource return a special HTTP response header that indicates that cross-domain requests are allowed. In your scenario you'd make your test3.php
return the following HTTP response header:
Access-Control-Allow-Origin: sub.domain.com
In PHP you'd do this as follows:
header("Access-Control-Allow-Origin: sub.domain.com");
You can also set this header value to just *
in order to allow cross-domain requests from any origin, but be aware that this will allow requests from sites you don't control.
Requests from client-side JavaScript libraries often also include the additional header X-Requested-With
that is not in the standard set allowed by CORS, so it may be necessary to explicitly allow this header via an additional response header:
Access-Control-Allow-Headers: X-Requested-With
CORS is only supported in modern browsers. For older browsers the common convention is to use JSON-P, which is a trick exploiting the fact that a page on one server is able to load and execute a script file from another server. This technique requires that the target resource be a valid JavaScript program that calls a function in the page, so it's not as elegant and seamless as CORS but it should work in any browser that supports JavaScript.
document.domain is the same yet still getting same-origin errors
Your issue is not domain or host. Your issue is protocol
You cannot set document.domain
across protocols
http
and https
are NOT the same origin due to protocol, just like example.com:80 is NOT the same origin as example.com:8080 due to ports.
There are VERY good security reasons to not be allowed to mix http and https
Please read https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Changing document.domain to completely other domain
Check out : developer.mozilla.org/same-origin-policy
Here is an excerpt from the site:
There is one exception to the same
origin rule. A script can set the
value of document.domain to a suffix
of the current domain. If it does so,
the shorter domain is used for
subsequent origin checks. For example,
assume a script in the document at
http://store.company.com/dir/other.html
executes the following statement:document.domain = "company.com";
After
that statement executes, the page
would pass the origin check with
http://company.com/dir/page.html.
However, by the same reasoning,
company.com could not set
document.domain to othercompany.com.
Related Topics
How to Have Jquery Restrict File Types on Upload
Unique Object Identifier in JavaScript
Filtering an Array with a Function That Returns a Promise
Unsafe JavaScript Attempt to Access Frame with Url
Preventing Click Event with Jquery Drag and Drop
Calling Method Using JavaScript Prototype
Typescript: Deep Keyof of a Nested Object, with Related Type
Jquery Ajax Requests Are Getting Cancelled Without Being Sent
Why Are Objects Not Iterable in JavaScript
Is There a JavaScript MVC (Micro-)Framework
How to Listen for a Click-And-Hold in Jquery
How to Update States 'Onchange' in an Array of Object in React Hooks
Ipad/iPhone Browser Crashing When Loading Images in JavaScript
Why Is Bind Slower Than a Closure
How to Debug JavaScript with Ie 8
Angularjs - How to Get an Ngrepeat Filtered Result Reference