Cross Subdomain Scripting

Since the early days, browsers have prevented cross-site scripting by ensuring that JavaScript cannot access files loaded from another domain, such as the source of an iframe. Unfortunately, the same logic was applied to subdomains, so JavaScript code on cannot access This causes problems if you organize your site by subdomains that need to communicate with each other via JavaScript or AJAX. Fortunately, browser makers added the document.domain property to allow you to change the domain used for page origin checks to a parent domain, instead of the subdomain.

This means that if I wanted to be able to communicate with I would need to set document.domain=""; in a script tag in the head of each page. This causes the browser to treat both sites as coming from "" when performing the site-origin security check, allowing them to access each other.

Now document.domain only works with a parent domain to the current subdomain. Meaning, you could not set it to a different domain, such as, or a different subdomain like However, if you had these two subdomains and, you could set document.domain to, since it is a parent subdomain in the subdomain hierarchy.

Lastly, document.domain is supported by all major browsers, so we don&rsquot;t have to worry about crossbrowser issues. I have tested it in Firefox 2,3, IE6,7,8, Chrome, and Safari 3 and 4, Opera 9. Let me know your experiences.