Will cross-domain scripting using JavaScript work when the two frames have the same domain 2 levels up?

Question

I have a scenario, in which a .net application is hosted from SAP portal.

• SAP portal domain: portalURL.al.xx.company.com
• App server domain: AppURL.ss.xx.company.com

As you can notice the portal and the app server domains are not same 1 level up.(i.e. at 1 level up, portal domain will be al.xx.company.com & app server will be ss.xx.company.com).

However at 2 levels up both the portal and app server domains are same. (i.e. xx.company.com).

In my JavaScript code, I have set the document.domain object to be xx.company.com. However still I am getting 'permission denied' error.

The protocol of both portal and appserver are same.

Will the cross domain scripting under same-origin law work only if the domains are same at 1 level up? Please let me know.

Answer 1

Yes, the Same-Origin policy will deny this. The two frames have to be on the exact same domain, and even the same port.

However, document.domain should work around that. If it's not working for you, remember that you have to set document.domain to xx.company.com in both frames (and, if you're working your way up a hierarchy of other frames to get there (eg top.frame2) you'll need to set it for those other frames as well (top).

If you have access to all the code, though, it's possible that you can work around this with JSON-P

Answer 2

Have a look at Same origin policy, try considering the jsonp.