What determines the value of document.domain property on page? It seems like it's not always equal to the root url domain.
document.domain contains the complete domain (including subdomains) from which the page was downloaded. You can set it manually to a parent domain. E.g., you can set the domain of a document loaded from subdomain.example.com to example.com. <iframe>s may have a different domain than the domain in the url bar.
Related
I know that document.domain sets the domain portion of the same origin policy. How to set the port portion for the same origin policy?
Details
I can use document.domain to set the domain portion. This sets the port portion to null. By default the document inside iframe sets the port portion to 80/443. So the same origin policy fails and the parent JS will not be able to access the iframe content document object. So is there a way to set the port portion of the same origin policy in the parent JS?
From the MDN docs:
The port number is checked separately by the browser. Any call to
document.domain, including document.domain = document.domain, causes
the port number to be overwritten with null. Therefore, one cannot
make company.com:8080 talk to company.com by only setting
document.domain = "company.com" in the first. It has to be set in both
so their port numbers are both null.
I understand if we have payment.example.com and news.example.com and they both set document.domain to exmaple.com they can communicate. However, what if en.news.example.com opt-in and set document.domain=example.com? is it also possible to communicate?
Document.domain
Gets/sets the domain portion of the origin of the current document, as used by the same origin policy.
The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin. It is a critical security mechanism for isolating potentially malicious documents.
Example :
// for document www.example.xxx/good.html,
// this script closes the window
var badDomain = "www.example.xxx";
if (document.domain == badDomain)
window.close(); // Just an example - window.close() sometimes has no effect.
var domain = document.domain;
Changing the value of this property is the easiest way to work around the limitations that the same origin policy applies when your pages are on different sub-domains of the same site. While JavaScript would normally consider pages from blog.example.com and from forum.example.com to be from different origins and so not allow JavaScript from one to interact with web pages from the other, you can resolve this particular restriction by setting the document.domain in both pages to the same value. By setting the document.domain to the shortest version of your domain name in all of your scripts you would allow your JavaScript to communicate across all of the pages of your site regardless of protocol, sub-domain or port.
I have a page that has an iframe which loads html template from amazon aws s3 bucket. In the iframe, I want to take the link of the parent window, then add some parameters.
E.g: My parent window has the link http://xx.xx.x.xxx:8088 . I want to take this url, apprend "#abc/edf" and redirect to that page. But I cannot because my iFrame has url https://bucketName.s3.amazonaws.com
The error I get is
Uncaught SecurityError: Blocked a frame with origin "https://bucketName.s3.amazonaws.com" from accessing a frame with origin "http://xx.xx.x.xxx:8088". The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "http". Protocols must match.
The javascript I used to redirect to another page from within an iFrame
function navigateTo(e){
var destination = e.data.destination;
var url = window.parent.location.host;
window.parent.location.href = url+destination;
}
$("#button").click({destination: "/#abc/edf"}, navigateTo);
html
<div id="button">Redirect to another page</div>
I cannot use absolute path for a reason. The parent window link will change somehow. I think the best solution is to take the parent url and append the parameters that I want. How can I make this happen without getting the security error?
Short answer is "you can't."
Browser security model precludes cross-domain and cross-protocol scripting from the client side. Your embedded iframe under the https protocol is not allowed to access (not even read) its parent's non-https context.
To do what you want, both contexts must agree on both domain of origin and protocol in order to interact on the client side.
Say that I have a domain subdomain.domain.com, when I check the document.domain I'm getting the result subdomain.domain.com, what can I do to get only the original domain without the sub domain, for example: domain.com
This will work for a .com domain in the example you specified, you would have to adjust the slice for .co.uk, .com.au and some other TLDs:
document.domain.split(".").slice(-2).join(".");
I have a page at an internal server, server1.mydomain.com/page.jsp and another page at a different internal server, 10.x.x.x:8081/page.aspx.
On server1.mydomain.com, I set document.domain in page.jsp like this:
//page.jsp on server1.mydomain.com
document.domain = document.domain;
When I issue an alert on document.domain, it comes up as server1.mydomain.com.
On the 10.x.x.x server, I set document.domain in page.aspx, as a result, like this:
//page.aspx on 10.x.x.x
document.domain = "server1.mydomain.com";
// test if same-origin policy violation occurs
document.getElementById("div_el").innerHTML = window.top.location.href;
In Safari 5.1.5, an error pops up on the console:
SECURITY_ERR: DOM Exception 18: An attempt was made to break through the security policy of the user agent."
From what I understand, when you set document.domain, the port number is set to null; so, you have to set it on both ends, which I did. Then, this error occurs and I'm scratching my head why. Does this have anything to do with the fact I'm using 10.x.x.x and not an actual domain name?
Thank you.
You can only use document.domain to change from a more specific sub domain to a less specific domain. Like...
console.log(document.domain); // server1.mydomain.com
document.domain = 'mydomain.com'
console.log(document.domain); // mydomain.com
It can't be used to set to a more specific sub domain or to an entirely different domain.
You can only set document.domain to its current value or to a super-domain of the current setting. Thus, a page at "foo.something.com" can set it to "something.com", but not "something.else.com".