Same origin policy

The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin. The policy dates from Netscape Navigator 2.0.

Mozilla considers two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. To illustrate, this table gives examples of origin comparisons to the URL http://store.company.com/dir/page.html.

http://store.company.com/dir2/other.html

http://store.company.com/dir/inner/another.html

https://store.company.com/secure.html

http://store.company.com:81/dir/etc.html

http://news.company.com/dir/other.html

There is one exception to the same origin rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http://store.company.com/dir/other.html executes this statement:

document.domain = "company.com";

However, using the same reasoning, company.com could NOT set document.domain to othercompany.com.