JavaScript's Same Origin Policy

Perhaps you have encountered access denied or similar error messages when using JavaScript to interact with iframes. This will occur if the containing document and the iframed document are not from the same domain and they attempt to reference each other's objects.

The same origin policy is a security feature of JavaScript that prevents access to properties and methods of documents from different domains.[1] However, there are ways to ease or circumvent this restriction.

The document.domain Property

The document.domain property can be used to allow interaction with a subdomain. For example, if you want a document at www.domain.com to communicate with a document at forums.domain.com, the document.domain property could be set to domain.com in both documents to allow JavaScript interaction between them.

The postMessage Method

HTML5's cross-document messaging uses a postMessage method to enable documents from separate domains to communicate with each other while still providing protection from cross-site scripting attacks.[2]

Find out more about using the postMessage method, including setting iframe height cross-domain, and working with objects and properties in documents on other domains.

Cross-Origin Resource Sharing

W3C's Cross-Origin Resource Sharing (CORS) uses HTTP Origin request headers and Access-Control-Allow-Origin response headers to specify allowed domains to facilitate cross-domain Ajax requests.[3]


  1. Find out more about the same origin policy at Wikipedia. ^
  2. Find out more about cross-document messaging at WhatWG. ^
  3. Find out more about CORS at Wikipedia and MDN ^