21.3 The Same-Origin Policy
There is
one far-reaching security
restriction in JavaScript that deserves
its own section. This restriction is known as the same-origin policy:
a script can read only the properties of windows and documents that
have the same origin (i.e., that were loaded from the same host,
through the same port, and by the same protocol) as the script
itself.
The same-origin policy does not actually apply to all properties of
all objects in a window from a different origin. But it does apply to
many of them, and in particular, it applies to practically all of the
properties of the Document object. For all intents and purposes, you
should consider all predefined properties of all client-side objects
with different origins off-limits to your scripts. User-defined
properties of objects with different origins may also be restricted,
although this may vary from implementation to implementation.
The same-origin policy is a fairly severe restriction, but it is
necessary to prevent scripts from stealing proprietary information.
Without this restriction, an untrusted script (perhaps a script
loaded through a firewall into a browser on a secure corporate
intranet) in one window could use DOM methods to read the contents of
documents in other browser windows, which might contain private
information.
Still, there are circumstances in which the same-origin policy is too
restrictive. It poses particular problems for large web sites that
use more than one server. For example, a script from
home.netscape.com might legitimately want to
read properties of a document loaded from
developer.netscape.com, or scripts from
orders.acme.com might need to read properties
from documents on catalog.acme.com. To support
large web sites of this sort, JavaScript 1.1 introduced the
domain property of
the Document object. By default, the domain
property contains the hostname of the server from which the document
was loaded. You can set this property, but only to a string that is a
valid domain suffix of itself. Thus, if domain is
originally the string "home.netscape.com", you can set it
to the string "netscape.com", but not to
"home.netscape" or "cape.com", and certainly
not to "microsoft.com". (The domain
value must have at least one dot in it; you cannot set it to
"com" or any other top-level domain.)
If two windows (or frames) contain scripts that set
domain to the same value, the same-origin policy
is relaxed for these two windows and each of the windows may read
properties from the other. For example, cooperating scripts in
documents loaded from orders.acme.com and
catalog.acme.com might set their
document.domain properties to
"acme.com", thereby making the documents appear to have
the same origin and enabling each document to read properties of the
other.
|