Document.domain

  • Revision slug: DOM/document.domain
  • Revision title: document.domain
  • Revision id: 362357
  • Created:
  • Creator: ethertank
  • Is current revision? No
  • Comment +Link (HTML5 Spec)

Revision Content

{{DomRef}}

Summary

Gets/sets the domain portion of the origin of the current document, as used by the same origin policy.

Syntax

var domainString = document.domain;
document.domain = string;

Example

// for document www.example.xxx/good.html,
// this script closes the window
var badDomain = "www.example.xxx";

if (document.domain == badDomain)
   window.close(); // Just an example - window.close() sometimes has no effect.
// For the URI http://developer.mozilla.org/en/docs/DOM the
// following sets domain to the string "developer.mozilla.org"
var domain = document.domain;

Notes

This property returns null if the domain of the document cannot be identified.

In the DOM HTML specification, this property is listed as being read-only. However, Mozilla will let you set it to a superdomain of the current value, constrained by its base domain. For example, on developer.mozilla.org it is possible to set it to "mozilla.org" but not "mozilla.com" or "org". See the implementation (line number may rot).

Mozilla distinguishes a document.domain property that has never been set from one explicitly set to the same domain as the document's URL, even though the property returns the same value in both cases. One document is allowed to access another if they have both set document.domain to the same value, indicating their intent to cooperate, or neither has set document.domain and the domains in the URLs are the same (implementation). Were it not for this special policy, every site would be subject to XSS from its subdomains (for example, https://bugzilla.mozilla.org could be attacked by bug attachments on https://bug*.bugzilla.mozilla.org).

Specification

See also

Revision Source

<div>
  {{DomRef}}</div>
<h2 id="Summary" name="Summary">Summary</h2>
<p>Gets/sets the domain portion of the origin of the current document, as used by the <a href="/en-US/docs/Same_origin_policy_for_JavaScript" title="Same origin policy for JavaScript">same origin policy</a>.</p>
<h2 id="Syntax" name="Syntax">Syntax</h2>
<pre class="syntaxbox">
var <var>domainString</var> = document.domain;
document.domain = <var>string</var>;</pre>
<h2 id="Example" name="Example">Example</h2>
<pre class="brush:js">
// for document www.example.xxx/good.html,
// this script closes the window
var badDomain = "www.example.xxx";

if (document.domain == badDomain)
   window.close(); // Just an example - window.close() sometimes has no effect.
</pre>
<pre class="brush:js">
// For the URI <a href="http://developer.mozilla.org/en/docs/DOM" rel="freelink">http://developer.mozilla.org/en/docs/DOM</a> the
// following sets domain to the string "developer.mozilla.org"
var domain = document.domain;
</pre>
<h2 id="Notes" name="Notes">Notes</h2>
<p>This property returns <code>null</code> if the domain of the document cannot be identified.</p>
<p>In the DOM HTML specification, this property is listed as being read-only. However, Mozilla will let you set it to a superdomain of the current value, constrained by its <a href="/en-US/docs/XPCOM_Interface_Reference/nsIEffectiveTLDService#getBaseDomain.28.29" title="nsIEffectiveTLDService#getBaseDomain.28.29">base domain</a>. For example, on developer.mozilla.org it is possible to set it to "mozilla.org" but not "mozilla.com" or "org". See <a class="link-https" href="https://mxr.mozilla.org/mozilla-central/source/content/html/document/src/nsHTMLDocument.cpp#1492" title="https://mxr.mozilla.org/mozilla-central/source/content/html/document/src/nsHTMLDocument.cpp#1492">the implementation</a> (line number may rot).</p>
<p>Mozilla distinguishes a <code>document.domain</code> property that has never been set from one explicitly set to the same domain as the document's URL, even though the property returns the same value in both cases. One document is allowed to access another if they have both set <code>document.domain</code> to the same value, indicating their intent to cooperate, or neither has set <code>document.domain</code> and the domains in the URLs are the same (<a class="link-https" href="https://mxr.mozilla.org/mozilla-central/source/caps/src/nsScriptSecurityManager.cpp#1003" title="https://mxr.mozilla.org/mozilla-central/source/caps/src/nsScriptSecurityManager.cpp#1003">implementation</a>). Were it not for this special policy, every site would be subject to XSS from its subdomains (for example, <a class="link-https" href="https://bugzilla.mozilla.org" rel="freelink">https://bugzilla.mozilla.org</a> could be attacked by bug attachments on <a class="link-https" href="https://bug*.bugzilla.mozilla.org" rel="freelink">https://bug*.bugzilla.mozilla.org</a>).</p>
<h2 id="Specification" name="Specification">Specification</h2>

<ul>
  <li><a href="http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-2250147">DOM Level 2 HTML: document.domain</a></li>
<li><a href="http://www.w3.org/TR/html5/browsers.html#dom-document-domain" title="5 Loading Web pages — HTML5">5 Loading Web pages #dom-document-domain — HTML5</a></li>
</ul>

<h2 id="See_also" name="See_also">See also</h2>
<ul>
  <li><a href="/en-US/docs/Same_origin_policy_for_JavaScript" title="Same origin policy for JavaScript">Same origin policy for JavaScript</a></li>
</ul>
Revert to this revision