300 Part II: Developing an Ajax Library^
Exceptions to the Same-Origin Policy
Modern browsers enforce the same-origin policy on nearly all the properties and methods
available to JavaScript. However, there are a few methods and properties than can be run
depending on the browser in play, such as focusing/blurring windows (window.focus()
and window.blur()) and setting the URL location as described in a previous edition of the
book JavaScript: The Complete Reference. However, some of these have already been removed
from browsers, and support is changing rapidly enough as permissive JavaScript language
features are abused. We opt not to present these holes as they will likely be removed by the
time you read this. However, we will discuss a purposeful loosening of the same-origin
policy that will soon be available in your browser.
There is certainly a bit of leeway with the same-origin policy if the documents are loaded
from different servers within the same domain. Setting the domain property of the Document
in which a script resides to a more general domain allows scripts to access that domain
without violating the same-origin policy. For example, a script in a document loaded from
http://www.subdomain.example.com could set the domain property to subdomain.example.com
or example.com. Doing so enables the script to pass origin checks when accessing windows
loaded from subdomain.example.com or example.com, respectively. The script from
http://www.subdomain.example.com could not, however, set document.domain to a totally
different domain such as ajaxref.com.FIGURE 7-3 Testing same-origin policy in Firefox