setting document.domain when SOP not violated anyway

I'm trying to figure out whether setting document.domain='example.com' serves purp开发者_高级运维ose when loading content from iframes if the SOP wouldn't be violated anyway. In my scenario I have a html page on www.example.com which loads an iframe on www.example.com/iframe (all port 80) - so, as I understand it, setting the document.domain property is unnecessary here.

In FF3, the javascript code streamed from the iframe does not execute though, unless I set the document.domain property explicitly on both parent page and iframe. In FF4 it does not execute in either setting. I've also tried with the www prefix in the hostname - no difference. Firebug reveals that a chunked part containing the full contents of a <script> tag was downloaded though.

Does this mean that setting document.domain still has a purpose when there's no subdomains or xss involved?

Setting document.domain should not have an effect in your case unless something else is happening.

I suggest you do not touch document.domain and try to find the real reason for your problem. Meddling with document.domain will only lead to trouble when doing AJAX or file uploads via iframes and such, as these will not necessarily have opted into the new domain suffix.

But to answer, no, it does not have a purpose other than loosening up the SOP when communicating across sub domains.