Document Domain

Every few years I run into an issue with JavaScript-based rich text editors and spellcheckers when they spawn pop-ups. The pop-ups open but don’t function.

If I open my Firebug console in the pop-up, I see something like:

Permission denied for <> (document.domain has not been set) to get property Window.tinymce from <; (document.domain has not been set).

Chrome’s console, shows a similar error:

Unsafe JavaScript attempt to access frame with URL from frame with URL Domains, protocols and ports must match.

In this case, TinyMCE‘s HTML plugin is running-up against JavaScript’s same origin policy because I’m serving assets (and therefore TinyMCE pop-ups) from a different fully-qualified domain name than the page TinyMCE is being embedded in. When not explicitly set, my site’s pages will default to something like and TinyMCE’s document domain will default to

The simple fix is to bump up the document domain on my site’s pages to just I do this in my global JavaScript file. I do the same thing to TinyMCE’s tiny_mce_popup.js file.

    document.domain = '';

(You might also know that cookies need a similar bump when trying to read and write to them across subdomains.)

Although this works, there is a problem for those developing locally: there’s a good chance they’re not developing at but something like localhost. A page at localhost certainly isn’t allowed to claim its document domain is

To handle both cases, we can instead set the document domain smartly, by putting this in both our global JavaScript file and in tiny_mce_popup.js:

    document.domain = /(\w+)(.\w+)?$/.exec(location.hostname)[0];

8 thoughts on “Document Domain

    1. Thanks. It doesn’t do-away with the same origin policy. The problem is that pages at and aren’t of the same origin. This trick just bumps down to so that both pages are now of the same origin: Does that make sense?

  1. Hi,
    Is this still a valid solution. Since I am not able to do this. I have a dot net page which calls a java widget(which does the type ahead search like google) in an iframe. My Dot net page as well the java widget which I am calling are on two different sub domains under the parent domain. And I tried settign both the domain to the same but still getting an access denied. I am trying this on IE7. Any help?

    1. Yes, this solution is still valid for pages that have JavaScript assets served from a different subdomain. I believe you are running into a different issue entirely: iframe security. I suggest posting your set up and question on StackOverflow to get some help from the broader community.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.