How does the browser / JavaScript same origin policy apply to two-level domain names?

views:

answers:

How does the browser / JavaScript same origin policy apply to two-level domain names?

I have some JavaScript that is sharing a request between two separate servers on the same domain.

Is .com a requirement for the domain in JavaScript?

In this case both the servers are on the .abc.tyy domain with the tyy being what would normally be .com

Wondering if I can only use .com for the domain? I am getting a permission denied error, but this code works fine on other separate servers on the same domain(.com).

Updated: Here is exactly how I'm using this:

123.abc.tyy has a script that loads properties that I want to access.

The script on 123.abc.tyy at opening script tag, sets the document.domain to 'abc.tyy'.

When I call the 'getUser()' function in 123.abc.tyy's script FROM 234.abc.tyy I am getting a permission denied error.

The way I am calling 'getUser()' is: I access http://123.abc.tyy in a browser, and the site allows me to specify a URL to load in one of it's frames. I point that URL to http://234.abc.tyy/BeginLoadPatient.aspx" in that page I am doing the following:

window.location = 'http://234.abc.tyy/LoadPatient.aspx?PatientId=' + getUser() '; with getUser being a function originating in 123.abc.tyy

If I add 234.abc.tyy and 123.abc.tyy to my trusted sites, everything works fine - is this skipping over the same origin policy?

+2 A:

No, the SOP doesn't care what the domain is, only that it represents the same origin. (Could it be that you have the .com domain hard-coded somewhere?)

Note that there's more than the domain to consider. The Same Origin Policy looks at protocol, port, and host as well. So aaa.abc.tyy and bbb.abc.tyy are different origins.

If you're in control of the servers involved, you might look at Cross-Origin Resource Sharing, but unfortunately CORS is only implemented in modern browsers (and on those versions of IE where it's supported, it's only supported if you use it explicitly).

Another option, of course, is JSON-P, which has the advantage of working cross-browser right now.

Another thing to look at is document.domain, details here and here.

Update after your edits:

The script on 123.abc.tyy at opening script tag, sets the document.domain to 'abc.tyy'.

When I call the 'getUser()' function in 123.abc.tyy's script FROM 234.abc.tyy I am getting a permission denied error.

You'll need to set document.domain to "abc.tyy" in BeginLoadPatient.aspx as well.

If I add 234.abc.tyy and 123.abc.tyy to my trusted sites, everything works fine - is this skipping over the same origin policy?

I wouldn't be at all surprised (although to me it would be pretty dodgy), but have no first-hand knowledge of it. Would be easy to test.

T.J. Crowder 2010-09-15 13:50:10

Hello thank you for the good information. I have other deployments with different host name that seem to be working fine- maybe it's the permissions in the browsers? I will follow-up with another comment when I review everything you've shared. Thank you.

2010-09-15 14:04:45

@user53885: There's also `document.domain`, might be worth looking into -- I've added links above.

T.J. Crowder 2010-09-15 14:27:23

Added more details of my scenario.

2010-09-16 15:43:29

+1 A:

I don't fully understand the scope of the question, but this may be useful to you.

http://stackoverflow.com/questions/2543784/javascript-same-origin-policy-how-does-it-apply-to-different-subdomains

RBW_IN 2010-09-15 14:17:13

ansaurus

tags:

views:

answers:

How does the browser / JavaScript same origin policy apply to two-level domain names?

related questions