March 13, 2011, 7 p.m.
posted by idm
Some security measures are browser-dependent or require deliberate action. One such uses digital signatures to sign a script. A signed script is allowed to bypass many of the sandbox security policies associated with JS, including the same-domain policy (depending on browser and access). For instance, this is an approach Ajax developers sometimes use to communicate with server applications located on domains different from the web page initiating the request.
The limitation with signed scripts is the lack of universal support for the concept. Mozilla/Firefox support signing the script, but Internet Explorer does not; IE supports only signing of controls. Other browsers don't support either. This limitation is enough to make the concept impractical for most Internet use.
Same-Origin Security Policy
Unfortunately, same origin can work against a site developer's efforts. The use of alternative hostnames with the same domain, known as subdomains, such as about.somecompany.com and help.somecompany.com, is becoming increasingly popular and the last same-origin restriction can become prohibitive. To work around this restriction, there's a property on the document object, domain, which when set, allows subdomain pages to communicate with each otherbut only subdomain pages, and only if the document property and the original host domain match.
The following will work:
document.domain = "somecompany.com";
This will not:
document.domain = "othercompany.com";
The policy of same origin does apply, however, to the implementation of cookies.