home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam    

JavaScript: The Definitive GuideJavaScript: The Definitive GuideSearch this book

21.3. The Same-Origin Policy

There is one far-reaching security restriction in JavaScript that deserves its own section. This restriction is known as the same-origin policy: a script can read only the properties of windows and documents that have the same origin (i.e., that were loaded from the same host, through the same port, and by the same protocol) as the script itself.

The same-origin policy does not actually apply to all properties of all objects in a window from a different origin. But it does apply to many of them, and in particular, it applies to practically all of the properties of the Document object. For all intents and purposes, you should consider all predefined properties of all client-side objects with different origins off-limits to your scripts. User-defined properties of objects with different origins may also be restricted, although this may vary from implementation to implementation.

The same-origin policy is a fairly severe restriction, but it is necessary to prevent scripts from stealing proprietary information. Without this restriction, an untrusted script (perhaps a script loaded through a firewall into a browser on a secure corporate intranet) in one window could use DOM methods to read the contents of documents in other browser windows, which might contain private information.

Still, there are circumstances in which the same-origin policy is too restrictive. It poses particular problems for large web sites that use more than one server. For example, a script from home.netscape.com might legitimately want to read properties of a document loaded from developer.netscape.com, or scripts from orders.acme.com might need to read properties from documents on catalog.acme.com. To support large web sites of this sort, JavaScript 1.1 introduced the domain property of the Document object. By default, the domain property contains the hostname of the server from which the document was loaded. You can set this property, but only to a string that is a valid domain suffix of itself. Thus, if domain is originally the string "home.netscape.com", you can set it to the string "netscape.com", but not to "home.netscape" or "cape.com", and certainly not to "microsoft.com". (The domain value must have at least one dot in it; you cannot set it to "com" or any other top-level domain.)

If two windows (or frames) contain scripts that set domain to the same value, the same-origin policy is relaxed for these two windows and each of the windows may read properties from the other. For example, cooperating scripts in documents loaded from orders.acme.com and catalog.acme.com might set their document.domain properties to "acme.com", thereby making the documents appear to have the same origin and enabling each document to read properties of the other.

Library Navigation Links

Copyright © 2003 O'Reilly & Associates. All rights reserved.