↑
Main Page

effect on BOM and DOM scripting

If all three of these conditions aren’t met, the two scripts are not allowed to interact. For instance, a script

running on

www.wrox.com

cannot access a page from

p2p.wrox.com

because these are considered dif-

ferent domain names (even though

p2p.wrox.com

is technically a subdomain of

www.wrox.com

). This

same script can’t access pages from

www.wrox.com:8080

because it has a different port number or from

about:blank

because it’s a different protocol (not

http://

The effect on BOM and DOM scripting

These rules affect the way you can interact with the BOM and the DOM. For instance, you cannot access

the

document

object for any page from a different origin, meaning that you can’t access any of the DOM

structure. The following two lines illustrate the issue:

alert(frames[1].location.href);

alert(frames[1].document.location.href); //fails

The previous code should output two alerts, each displaying the URL of the page in the second frame

(the frame at index 1). You may recall from earlier in the book that both the

window

and

document

objects have a

location

object as a property. If the script using these two lines of code is from a differ-

ent origin than the page contained in the frame, the second line of code fails because the script cannot

access the

document.location

object or any of its properties. The script can, however, access the

win-

dow.location

object (represented by

frames[1].location

) and can still access all the other proper-

ties of the window.

You may also remember from earlier in the book that the XML HTTP Request object (in all browsers)

and the Web Service functionality work only with resources from the same domain; this is yet another

instance where the Same Origin Policy takes effect. It also applies to plugins.

The exception to the rule

Common logic dictates that

www.wrox.com

and

p2p.wrox.com

belong to the same domain, so they

should be able to communicate with one another. As it turns out, the browser developers agree and have

provided a way to allow such communication.

In the pages from each subdomain, a single line of script can be included to circumvent the Same Origin

Policy. This is done by setting the

document.domain

property as shown here:

document.domain = “wrox.com”;

This simple line of code then eliminates all the security blocks for JavaScript communication. Note, how-

ever, that you can set the domain only to a value already in the URL, so a page from

www.wrox.com

can-

not set the domain to

mozilla.org

, because that is a violation of the Same Origin Policy.

Window object issues

A number of measures protect end users from malicious scripts attempting to use windows.

First and foremost, windows cannot be opened off screen or smaller than 100 x 100. If you specify coor-

dinates that are off the screen, the window is automatically placed on the screen in a location close to

where you specified, but with enough space to see the entire window. Likewise, if you try to open a

564

Chapter 19

22_579088 ch19.qxd 3/28/05 11:43 AM Page 564