Security

Browsers, such as Netscape Navigator and Internet Explorer, put certain restrictions on what information scripts can access between frames and windows.

If all the pages in these frames and windows are based on the same server, or on the same computer when you're loading them into the browser locally as we are, you have a reasonably free rein over what your scripts can access and do. However, there are some restrictions. For example, if you try to use the window.close() method in a script page loaded into a browser window that the user opened, as opposed to a window opened by your script, a message box will appear giving the user the option of cancelling your close() method and keeping the window open.

When a page in one window or frame hosted on one server tries to access the properties of a window or frame that contains a page from a different server, the "same origin policy" comes into play, and you'll find yourself very restricted as to what your scripts can do.

Imagine you have a page hosted on a web server whose URL is http://www.myserver.com. Inside the page is the following script:

var myWindow =
window.open("http://www.anotherserver.com/anotherpage.htm","myWindow");

Now we have two windows, one that is hosted at www.myserver.com and another that is hosted on a different server, www.anotherserver.com. Although this code does work, the same origin policy prevents any access to the document object of one page from another. For example, the following code in the opener page

var myVariable = myWindow.document.form1.text1.value;

will cause a security problem and will be prevented by the browser. Although you do have access to the window object of the page on the other server, you only have access to a limited subset of its properties and methods.

The same origin restriction applies equally to frames as it does to windows. The idea behind it is very sound: It is to prevent hackers from putting your pages inside their own and extracting information by using code inside their page. However, the restrictions are fairly severe, perhaps too severe, and mean that you should avoid scripting across frames or windows where the pages are hosted on different servers.

There is no easy way around the restrictions in Internet Explorer, but Netscape Navigator browsers do support scripts that have been digitally signed to validate their origin. These scripts suffer less restriction than unsigned scripts, but it does mean that your pages won't be accessible from Internet Explorer. Also, the certificate required for signing is quite expensive.