You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



The Same Origin Policy

Page Maintained by Jesse Ruderman

The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin. The policy dates from Netscape Navigator 2.0.

Mozilla considers two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. To illustrate, this table gives examples of origin comparisons to the URL http://store.company.com/dir/page.html.

URL Outcome Reason
http://store.company.com/dir2/other.html
Success
http://store.company.com/dir/inner/another.html
Success
https://store.company.com/secure.html
Failure Different protocol
http://store.company.com:81/dir/etc.html
Failure Different port
http://news.company.com/dir/other.html
Failure Different host

There is one exception to the same origin rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http://store.company.com/dir/other.html executes this statement:

document.domain = "company.com";
After execution of that statement, the page would pass the origin check with http://company.com/dir/page.html.

However, using the same reasoning, company.com could NOT set document.domain to othercompany.com.