Same origin policy for JavaScript

Table of contents

  1. 1. See also
  2. 2. Original Document Information

The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. This policy dates all the way back to Netscape Navigator 2.0.

Mozilla considers two pages to have the same origin if the protocol, port (if one is specified), and host are the same for both pages. The following table gives examples of origin comparisons to the URL

URL Outcome Reason Success Success Failure Different protocol Failure Different port Failure Different host

There is one exception to the same origin rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at executes the following statement:

document.domain = "";

After that statement executes, the page would pass the origin check with However, by the same reasoning, could not set document.domain to

Port number is kept by the browser separately. Any call to the setter, including document.domain = document.domain causes the port number to be overwritten with null. Therefore one can not make talk to by only setting document.domain = "" in the first. It has to be set in both so that port numbers are both null.

See also

Original Document Information

  • Author(s): Jesse Ruderman

Tags (3)

Edit tags

Attachments (0)


Attach file