The default security in JavaScript is even more restrictive than "same domain". It's known as the Same Origin policy. It says that a script can only read properties of windows and documents that were loaded: 1. from the same host
2. through the same port
3. by the same protocol Reference: Mozilla.org [mozilla.org] There is one happy exception - you can bypass the limitation for subdomains of the same domain, such as sub1.domain.com and sub2.domain.com. You do this by reassigning document.domain to the short version, e.g. document.domain="domain.com". This allows windows from the root domain to interact with windows in different subdomains. You're correct that a "trusted script" can have more freedom - I've never written a signed script and I've only ever read about it (here's one solid reference: Netscape DevEdge [developer.netscape.com].) I understand it can be a bit unwieldy in many situations. Given that, a "real" app just may be the way to go. That's not a definitive answer, I know. Hope the references will help you make a good decision for your situation. [edited by: tedster at 12:42 am (utc) on June 7, 2003]
| 
