W3cubDocs

/DOM

document.domain

The domain property of the Document interface gets/sets the domain portion of the origin of the current document, as used by the same origin policy.

Syntax

var domainString = document.domain;
document.domain = string;

Value

The domain portion of the current document's origin.

Exceptions

SecurityError
An attempt has been made to set domain under one of the following conditions:
  • the document is inside a sandboxed <iframe>
  • the document has no browsing context
  • the document's effective domain is null
  • the given value is not equal to the document's effective domain (or it is not a registerable domain suffix of it)
  • the document-domain Feature-Policy is enabled

Example

// for document www.example.xxx/good.html,
// this script closes the window
var badDomain = "www.example.xxx";

if (document.domain == badDomain)
   window.close(); // Just an example - window.close() sometimes has no effect.
// For the URI http://developer.mozilla.org/en-US/docs/Web the
// following sets domain to the string "developer.mozilla.org"
var domain = document.domain;

Notes

This property used to return null if the domain of the document could not be identified, although this has now changed as of Firefox 62 — see the discussion in bug 819475.

Mozilla will let you set it to a superdomain of the current value, constrained by its base domain. For example, on developer.mozilla.org it is possible to set it to "mozilla.org" but not "mozilla.com" or "org".

If this property is successfully set, the port part of the origin is also set to null.

Mozilla distinguishes a document.domain property that has never been set from one explicitly set to the same domain as the document's URL, even though the property returns the same value in both cases. One document is allowed to access another if they have both set document.domain to the same value, indicating their intent to cooperate, or neither has set document.domain and the domains in the URLs are the same (implementation). Were it not for this special policy, every site would be subject to XSS from its subdomains (for example, https://bugzilla.mozilla.org could be attacked by bug attachments on https://bug*.bugzilla.mozilla.org).

Specifications

Browser compatibilityUpdate compatibility data on GitHub

Desktop
Chrome Edge Firefox Internet Explorer Opera Safari
Basic support Yes ? Yes
Yes
From Firefox 62, if the domain cannot be identified, domain returns an empty string instead of null. See bug 819475.
? ? ?
Mobile
Android webview Chrome for Android Edge Mobile Firefox for Android Opera for Android iOS Safari Samsung Internet
Basic support Yes Yes ? Yes
Yes
From Firefox 62, if the domain cannot be identified, domain returns an empty string instead of null. See bug 819475.
? ? ?

See also

© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/API/document/domain