Home/ Questions/Q 735169
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T07:27:27+00:00

I’m trying to prove that changing document.domain can be used only for cross scripting

  • 0

I’m trying to prove that changing document.domain can be used only for cross scripting on the same upper level domain. For example if i will try to change document.domain to “google.com” on page which is located on http://www.test.com I will get a security exception in FF. Does anybody know where to locate an official proof of that?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Check out : developer.mozilla.org/same-origin-policy

    Here is an excerpt from the site:

    There is one exception to the same
    origin rule. A script can set the
    value of document.domain to a suffix
    of the current domain. If it does so,
    the shorter domain is used for
    subsequent origin checks. For example,
    assume a script in the document at
    http://store.company.com/dir/other.html
    executes the following statement:

    document.domain = "company.com";

    After
    that statement executes, the page
    would pass the origin check with
    http://company.com/dir/page.html.
    However, by the same reasoning,
    company.com could not set
    document.domain to othercompany.com.

    • 0