Document.domain Cross-subdomain

Source: Internet
Author: User
Tags subdomain

Document.domain

The domain name used to get the current page.
For example, in the Address bar, enter:

Javascript:alert (Document.domain); Www.315ta.com

We can also assign a value to the Document.domain property, but there are limits, you can only assign the current domain name or the base domain name.
Like what:
Javascript:alert (document.domain = "315ta.com"); 315ta.com
Javascript:alert (document.domain = "www.315ta.com");//www.315ta.com

The above assignment is successful because www.315ta.com is the current domain name, and 315ta.com is the base domain.

However, the following assignment will come up with an "invalid parameter" error:
Javascript:alert (document.domain = "cctv.net"); Invalid parameter
Javascript:alert (document.domain = "ttt.315ta.com"); Invalid parameter

Because Cctv.net and ttt.315tas.com are not the current domain name and are not the base domain of the current domain name, there will be errors.
This is to prevent malicious modification of document.domain to achieve cross-domain data theft.


cross-domain implementation with Document.domain:
Prerequisites: These two domain names must belong to the same base domain name! And the protocol used, the port must be consistent, or you can not use Document.domain cross-domain

JavaScript prohibits two or more pages of different domains from interacting with one another for security reasons.
Pages in the same domain do not have any problems when working with each other.

For example, a Web page in aaa.com (a.html) uses an IFRAME to introduce a Web page (b.html) in a bbb.com.
You can see the contents of b.html in a.html, but you can't use JavaScript to manipulate it. Because these two pages belong to a different domain, before the operation, JS will detect two pages of the domain is equal, if it is equal, allow its operation, if not equal, will reject the operation.
It is impossible to change a.html and b.html using JS to the same domain. Because their underlying domain names are not equal. (forcing JS to change them to equal fields will be reported with the same "parameter invalid error.") ")

So if you introduce another page in the aaa.com in a.html, there is no problem because the domain is equal.

In another case, two subdomains:
Aaa.xxx.com
Bbb.xxx.com

One of the pages in AAA (a.html) introduced a Web page in BBB (b.html),
At this time a.html also can not manipulate the contents of b.html inside.
Because Document.domain is not the same, one is aaa.xxx.com and the other is bbb.xxx.com.

At this point, we can change the domain of two pages into the same JavaScript,
Need to join in a.html and b.html:

Document.domain = "xxx.com";

This way the two pages will be able to manipulate each other. That is, the "cross-domain" between the same base domain is implemented.

For examples where the primary domain is the same and the subdomain is different, it can be resolved by setting the Document.domain method. Specifically, the http://www.a.com/a.html and http://script.a.com/b.html two files can be added document.domain = ' a.com ' And then create an IFRAME in the a.html file to control the contentdocument of the IFRAME so that the two JS files can "interact" with each other. Of course, this approach can only solve the same primary domain and the two-level domain name is different, if you whimsical script.a.com Domian set to Alibaba.com that obviously will be error! The code is as follows:

The a.html on the www.a.com

Document.domain ='a.com';varIFR = Document.createelement ('iframe'); Ifr.src='http://script.a.com/b.html'; Ifr.style.display='None';d Ocument.body.appendChild (IFR); Ifr.onload=function () {varDoc = Ifr.contentdocument | |ifr.contentWindow.document; //manipulating the b.html here .Alert (Doc.getelementsbytagname ("H1")[0].childnodes[0].nodevalue);};

The b.html on the script.a.com

' a.com ';

This approach applies to any page in {www.kuqin.com, kuqin.com, script.kuqin.com, css.kuqin.com} to communicate with each other.

Note: The domain default for a page is equal to Window.location.hostname. The primary domain is a domain name without www, such as a.com, which is usually preceded by a two-level domain name or a multilevel domain name, such as Www.a.com, which is actually a two-level domain name. Domain can only be set as the primary domain name, and domain can not be set to c.a.com in B.a.com.

Problem:
1, security, when one site (b.a.com) is attacked, another site (c.a.com) can cause security vulnerabilities.
2, if a page to introduce multiple IFRAME, to be able to operate all the IFRAME, you must set the same domain.

Document.domain Cross-subdomain

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.