It's not a bug, it's a security feature. Otherwise, someone else can have your site open up from theirs and inject data into your page without your users knowing.

这不是错误，而是安全功能。否则，其他人可以在您的用户不知情的情况下从他们的站点打开您的站点并将数据注入您的页面。

Read: http://en.wikipedia.org/wiki/Same_origin_policy

阅读：http: //en.wikipedia.org/wiki/Same_origin_policy

Certainly, having the same SLD could indicate that they are from the same origin, but that isn't guaranteed to be the case, for example, hosting sites that allow free subdomains would be vulnerable.

当然，具有相同的 SLD 可能表明它们来自同一来源，但不能保证情况确实如此，例如，允许免费子域的托管站点将容易受到攻击。

It is possible to pass data between www.example.com and api.example.com but not with window.opener. You can set a value in a cookie with Javascript (document.cookie) on the .example.comdomain (not www.example.com) and it will be readable on www.example.com and api.example.com.

可以在 www.example.com 和 api.example.com 之间传递数据，但不能使用 window.opener。您可以document.cookie在.example.com域（不是 www.example.com）上使用 Javascript ( ) 在cookie 中设置一个值，并且它可以在 www.example.com 和 api.example.com 上读取。

On a page from www.example.com, if you execute this Javascript: (source: http://techpatterns.com/downloads/javascript_cookies.php) then the "somename" cookie will be readable from api.example.com

在 www.example.com 的页面上，如果您执行此 Javascript：（来源：http: //techpatterns.com/downloads/javascript_cookies.php）那么“somename”cookie 将可以从 api.example.com 读取

function Set_Cookie( name, value, expires, path, domain, secure )
{
// set time, it's in milliseconds
var today = new Date();
today.setTime( today.getTime() );

/*
if the expires variable is set, make the correct
expires time, the current script below will set
it for x number of days, to make it for hours,
delete * 24, for minutes, delete * 60 * 24
*/
if ( expires )
{
expires = expires * 1000 * 60 * 60 * 24;
}
var expires_date = new Date( today.getTime() + (expires) );

document.cookie = name + "=" +escape( value ) +
( ( expires ) ? ";expires=" + expires_date.toGMTString() : "" ) +
( ( path ) ? ";path=" + path : "" ) +
( ( domain ) ? ";domain=" + domain : "" ) +
( ( secure ) ? ";secure" : "" );
} 


Set_Cookie("somename", "somevalue", 0, "/", ".example.com");

<script>
document.domain = 'facebook.com';
try {
    try{
        if (window.opener && window.opener.graphexplorer) {
            window.opener.graphexplorer.authCallback(window.location.hash);
        }
    }catch(e){}
}
catch (e) {}

window.location.hash = '';
window.close();
</script>

<script> document.domain = 'facebook.com'; try { try{if (window.opener && <script> document.domain = 'facebook.com'; try { try{if (window.opener && window.opener.graphexplorer) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>

<script> document.domain = 'facebook.com'; try { try{if (window.opener && window.opener.graphexplorer) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>