I have a question regarding the same-origin
policy.
My company has many subdomains and in one of them they would like an iframe with another subdomain inside of it and populate the form of the iframe.
I have read about the document.domain
property and that I would need to set in on all three domains, however I can not easily test this due to each subdomain belonging to a different department. So here is my question:
Is this possible when the subdomains are both https, and the root domain is not? I looked at the examples on wikipedia, but that didn't help me. Any help would be greatly appreciated.
Example:
https://x.company.org
https://y.company.org
http://company.org
x.company.org
will have a page with an iframe of y.company.org which has a form that we would like to auto populate.
The things that define a domain in this context are protocol, port and domain so http://abc.com and https://abc.com are considered different domains by your browser (http vs https).
http://en.wikipedia.org/wiki/Same_origin_policy#Origin_determination_rules
https://x.company.org and https://y.company.org are also considered separate domains but they can both relax their domain setting to https://company.org and cross-communicate.
http://en.wikipedia.org/wiki/Same_origin_policy#document.domain_property
There's another option available to you now as HTML5 is in all the major browsers. Using the HTML5 postMessage you can communicate across domains, assuming the receiving domain wants to accept the message and respond.