21.3. The Same-Origin Policy
The same-origin policy does not actually apply to all properties of all objects in a window from a different origin. But it does apply to many of them, and in particular, it applies to practically all of the properties of the Document object. For all intents and purposes, you should consider all predefined properties of all client-side objects with different origins off-limits to your scripts. User-defined properties of objects with different origins may also be restricted, although this may vary from implementation to implementation.
The same-origin policy is a fairly severe restriction, but it is necessary to prevent scripts from stealing proprietary information. Without this restriction, an untrusted script (perhaps a script loaded through a firewall into a browser on a secure corporate intranet) in one window could use DOM methods to read the contents of documents in other browser windows, which might contain private information.
If two windows (or frames) contain scripts that set domain to the same value, the same-origin policy is relaxed for these two windows and each of the windows may read properties from the other. For example, cooperating scripts in documents loaded from orders.acme.com and catalog.acme.com might set their document.domain properties to "acme.com", thereby making the documents appear to have the same origin and enabling each document to read properties of the other.
Copyright © 2003 O'Reilly & Associates. All rights reserved.