Last Updated: February 25, 2016
· timfernihough

Document.domain tips to bypass XSS mechanisms

Anyone who has had to do an integration with a 3rd party iframe and have javascript running has probably run into XSS issues. Of course, we want our browsers to protect us and not allow XSS (unless we want it to, of course).

In order to have an action within an externally hosted iframe implement a function you've written in your parent frame, you'll need to do a couple things:

  • Ensure the root domain of the iframe's src tag matches the root domain of your parent frame. This is commonly done by creating a CNAME record on the parent domain and working with the 3rd party provider to ensure it resolves properly.

  • Set your document.domain on the parent to the root domain (

  • The 3rd party provider will likely allow a parameter to be passed in to the src tag that they use to set the document.domain on their end.

  • Finally, you'll want to debug to make sure that the document.domain is set to the same value both on the parent frame and on the iframe. Here is a very useful link on how to change the focus of the console in Firebug to the iframe so that you can then run "document.domain" in the console and see if the values are the same. This will prevent you from having to have many back and forth conversations with the 3rd party.

cd(frames[0]); or
cd(frames["iframecanvas"]); where iframecanvas is the ID of the iframe.**
You can return to the parent frame with cd(top);

Full Link: Article at Stack Overflow