Technical Articles

Cross Domain Scripting in HTML

What is Scripting:
Scripting languages like JavaScript and VBScript that can be embeded in HTML files give enormous oportunities for making web pages dynamic and interactive and user friendly. They make web pages responsive by allowing a part of the job to be done at the browser before doing a round trip to the server. They also allow HTML interface to provide a rich and dynamic user interace similar to what we get with applications built with Visual Basic, MFC and the likes. You can dynamically hide or display portions of the screen, create new elements on the fly, modify text, populate text, interact with other embeded components like Java Applets and ActiveX objects. Objects embeded in HTML and HTML elements are accessed though the DOM.

What is DOM:
DOM stands for "Document Object Model". That is a kind of tree data structure that the browser builds out of a HTML page. HTML is very similar to XML (though less strict), and can be parsed into well formed tree with nested elements and attributes. This parsed representation, called as DOM, is easy to access and program.

What is Cross Domain Scripting:
HTML pages can be obtained from different web servers using different URLs. For example, Yahoo Mail can be accessed through and HotMail through The web servers serving them are on different machines and the machines belong to different network domains. In our example of yahoo and hotmail, is the network domain of HotMail and is the network domain of Yahoo Mail.

Suppose, you come up with a brilliant idea of creating a portal for internet based mails. The portal will allow a user to login with a user Id and password and if the user has accounts in both HotMail and Yahoo with the same user Id and password, your portal will be able to display mails from both the accounts without the user having to login to each of the mail boxes. So you get a machine to host your portal, create a network domain called and start to work on it. You realize that users will not be comfortable having to supply their mail account user Id and passwords to you, so you must implement all logic in HTML alone, without storing anything on your server. That implies that the HotMail and Yahoo logins must happen at the user's browser only and the mails displayed there. Your application can just be the starting point and all you would get is a small space at the top where you can display your wares and hope that the user also purchases some of them after reading the mails. Doing all this at the browser will require quite an amount of heavy duty scripting. You will need to get the user id and password from the user once from your login screen and then create two frames dynamically - one hosting HotMail and the other hosting Yahoo Mail. Then you need to push the user Id and password to their login screens and simulate a click of the login button.

So as you see, this requires that scripts that you supply from your domain ( have to interact with HTML from other domains and This is what is referred to as "Cross Domain Scripting".

What's the issue with that:
Cross domain scripting is a security issue because it can allow a web page downloaded from a malicious web server to access sensitive data downloaded from another webserver. Imagine that you are browsing your mails from while you went to to play some games. Now abccasino is not a reputed site and somebody there has deployed a clever script on their web page that takes hold of your hotmail screen and sends all e-mail contents to One of the e-mails may contain a mail from your bank that has your credit card statement with your credit card number! So you see, cross domain scripting is not entirely safe and that's the region why most of the popular browsers have disabled it.

However sometimes you do genuinely need todo cross domain scripting. In the below mentioned paragraphs we'll discuss how much of cross domain scripting is allowed and how to go about doing it.

Option 1:
This is the easiest and least intrusive way. This is probably the best way to go if you can do with the restrictions imposed. It is also the most secure way, that follows the rules imposed by the browsers without trying to work around them. To follow this method:

    Ensure that all URLs come from the same parent domain. For example, and both come from the same parent domain
    Set the DOM variable document.domain to the parent domain in all your web pages. That is, include the script snippet <script>document.domain='';</script> in all your pages from both the domains.
    Ensure that all URLs that are called use the full domain name. That is, even if you have the option of invoking with an alias called yahoomail, don't do that. The browser looks at the literal domain name that you used in the address bar. Even IP address will not do.
    Ensure that all URLs are either HTTP or HTTPS. Mixing is not allowed. That is, a script from a page invoked using HTTP can not access contents of another page from the same domain invoked using HTTPS, and vice versa.

Option 2:

    Using HTA. HTA stands for HTML Template Applications, a Microsoft only feature. This featue is available on machines with IE5+ browsers.
    The web server needs to be configured to send HTA files with appropriate mime types.
    HTA is not executed in a normal IE window. Rather it throws up a mshta.exe window with the web pages embeded within.
    HTA may not run java applets correctly. Though I haven't explored this fully, I did get a problem and so did may others if you browse newsgroups.

Option 3:

    Signing Javascripts. Basically the js files will have to be put into a jar file and the jar file should be signed.
    Works only with Netscape.