Gets/sets the domain portion of the origin of the current document, as used by the same origin policy.
var domainString = document.domain; document.domain = string;
// for document www.example.xxx/good.html, // this script closes the window var badDomain = "www.example.xxx"; if (document.domain == badDomain) window.close(); // Just an example - window.close() sometimes has no effect.
// For the URI http://developer.mozilla.org/en/docs/DOM the // following sets domain to the string "developer.mozilla.org" var domain = document.domain;
This property returns
null if the domain of the document cannot be identified.
Mozilla will let you set it to a superdomain of the current value, constrained by its base domain. For example, on developer.mozilla.org it is possible to set it to "mozilla.org" but not "mozilla.com" or "org". See the implementation (line number may rot).
Mozilla distinguishes a
document.domain property that has never been set from one explicitly set to the same domain as the document's URL, even though the property returns the same value in both cases. One document is allowed to access another if they have both set
document.domain to the same value, indicating their intent to cooperate, or neither has set
document.domain and the domains in the URLs are the same (implementation). Were it not for this special policy, every site would be subject to XSS from its subdomains (for example, https://bugzilla.mozilla.org could be attacked by bug attachments on https://bug*.bugzilla.mozilla.org).
- DOM Level 2 HTML: document.domain (describes it as read-only)
- HTML5: document.domain (describes behavior similar to Mozilla's)