Considering the origin of entities
Access to DOM elements is allowed only when the request scheme, hostname, and port number match those of the current URI. A subdomain cannot share DOM elements with the parent domain.
- Scheme in web applications is typically
http://orhttps:// - Hostname is typically the domain name plus TLD, or the unique IP address
- Port number:
- Typically, port
80is implicit inhttp:// 443for SSL overhttps://
- Typically, port
If the Scheme, Hostname, and port number do not match the DOM element, then resource sharing is prohibited as they do not share the same origin. Considering the domain http://www.example.com, the following table provides various combinations of matching and mismatching origins:
URI | Match? | Reason |
|---|---|---|
| Match | Same protocol and host |
| Match | Same protocol and host |
| Mismatch | Different host (www is a subdomain) |
| Mismatch | Different protocol(https://) |
| Mismatch | Same protocol and host but different port (81) |
| Mismatch | Different host (en is a subdomain) |
Internet Explorer exception policy
Internet Explorer (IE) implements two major differences when it comes to the same-origin policy:
- IE Trust Zones allow different domains: If both domains are in a highly trusted zone, then the same-origin policy limitations are not applied.
- Port is ignored: IE ignores the port in same origin components. These URIs are considered from the same origin:
http://www.example.com:80/dir/page1.htmlhttp://www.example.com:81/dir/page1.htmlTip
These exceptions in Internet Explorer are non-standard and are not supported in other browsers. If an application is only viewed in Windows RT mobile or Internet Explorer, then these exceptions could be useful.
