domain Property (document, HTMLDocument Constructor)

domain Property

Sets or gets the security domain of the document.

Syntax

[ sDomain = ] object.domain

Possible Values

sDomain String that specifies or receives the domain suffix.
The property is read/write. The property has no default value.
DHTML expressions can be used in place of the preceding value(s). As of Internet Explorer 8, expressions are supported in IE7 Standards mode and IE5 (Quirks) mode only. For more information, see About Dynamic Properties and Defining Document Compatibility.

Remarks

The property initially returns the host name of the server from which the page is served. The property can be assigned the domain suffix to allow sharing of pages across frames. For example, a page in one frame from home.microsoft.com and a page from www.microsoft.com initially cannot communicate with each other. However, by setting the domain property of both pages to the suffix "microsoft.com," you ensure that both pages are considered secure and access is available between the pages.
When you set the domain property, use the domain name determined by the server instead of the domain name determined by the client .
All the pages on different hosts must have the domain property explicitly set to the same value to communicate successfully with each other. For example, the value of the domain property of a page on the host microsoft.com is "microsoft.com" by default. It might seem logical that if you set the domain property of a page on another host named msdn.microsoft.com to "microsoft.com," that the two pages could communicate with each other. However, this is not the case, unless you explicitly set the domain property of the page on microsoft.com to "microsoft.com."
This property cannot be used to enable cross-frame communication among frames with different domain suffixes. For example, a page in one frame from www.microsoft.com and a page in another frame from www.msn.com cannot communicate with each other, even if the domain property of both pages is set to the suffix "microsoft.com."
Security Alert If you use this property incorrectly, you can compromise the security of your Web site. Set the domain property only if you must allow cross-domain scripting. Use a value determined on the server. If you set this property to a value determined on the client, such as through the location object, you might expose your site to attack from another site through Domain Name System (DNS) manipulation. For more information, see Security Considerations: Dynamic HTML.
For more information on domain security, see About Cross-Frame Scripting and Security.

Standards Information

This property is defined in Document Object Model (DOM) Level 1.

Applies To

document, HTMLDocument Constructor

Tags

: Add a tag

Community Content

Add new content

Annotations

Bug with Security Zones

Scott Trenda | Edit | Show History

If two windows (iframe or opened window) set the same document.domain but are in different security zones (e.g. one of the subdomains is in Trusted Sites and the other is in Internet - it shows "Unknown Zone (Mixed)"), they cannot interact with each other. This happens regardless of the settings for "Access data sources across domains", "Navigate sub-frames across different domains", and "Websites in less privileged web content zone can navigate into this zone" options in the Security Settings for either security zone. If the sites are in the same zone (even if the zone is Internet), then the windows can interact with each other after document.domain is set. $0$0 $0 $0Please fix this or provide a different way to deal with it from within our code. The document.domain is supposed to be the correct way to allow cross-subdomain frame interaction, but this security zone issue forces another layer of restrictions into the cross-subdomain interaction requirements. As web developers, we have no way of enforcing what Security Zone settings are in effect on the client, and this issue becomes a showstopper if the client's machine only puts a portion of the related subdomains into the Trusted Sites zone.$0