Access to DOM elements is allowed only when the request scheme, hostname, and port number match those of the current URI. A subdomain cannot share DOM elements with the parent domain.
Scheme in web applications is typically
http://
orhttps://
Hostname is typically the domain name plus TLD, or the unique IP address
Port number:
Typically, port
80
is implicit inhttp://
443
for SSL overhttps://
If the Scheme, Hostname, and port number do not match the DOM element, then resource sharing is prohibited as they do not share the same origin. Considering the domain http://www.example.com
, the following table provides various combinations of matching and mismatching origins:
URI | Match? | Reason |
---|---|---|
| Match | Same protocol and host |
| Match | Same protocol and host |
| Mismatch | Different host (www is a subdomain) |
| Mismatch | Different protocol(https://) |
| Mismatch | Same protocol and host but different port (81) |
| Mismatch | Different host (en is a subdomain) |
Internet Explorer (IE) implements two major differences when it comes to the same-origin policy:
IE Trust Zones allow different domains: If both domains are in a highly trusted zone, then the same-origin policy limitations are not applied.
Port is ignored: IE ignores the port in same origin components. These URIs are considered from the same origin: