Friendly Cross-Site Scripting
Recently I was faced with the issue of loading an iFrame from our main site to one of our child sites and they needed to communicate with each other through JavaScript. While developing on our test servers the problem wasn't obvious because everything was on the same domain but when it was near time to deploy on the production servers the shit hit the fan! The reason wasn't so obvious at first but luckily the solution wasn't very hard to implement, it was just a matter of finding it.
Welcome document.domain
Say we have a script at http://foo.mysite.com that needs to communicate with another friendly script at http://bar.mysite.com through means of an iFrame or something. By default your browsers' security won't let them because the full domains aren't the same same (including the sub-domain).
In order to allow both sub-domains to communicate together you must set the document.domain property in JavaScript to the same domain name. So in our case we would need to set the document.domain property on both sites to mysite.com which is the common domain between the two.
document.domain="mysite.com";
You can't however set both to foo.mysite.com or bar.mysite.com and you cannot set both of them to another domain such as mysite1.com or anything else. That's the limitation.
Hint: You could use this technique to share cookies across similar domains as well. When setting a cookie you can set it for the parent domain to be accessible from multiple sub-domains.
Be aware that setting this property incorrectly can compromise the security of your site. It is suggested to determine the value by the server, do not set this property by a value determined by the client.
