Are 127.0.0.1 and localhost considered as two different domains by browsers?

Question

Are 127.0.0.1 and localhost considered as two different domains by browsers and therefore enforce cross-domain (same origin policy) restrictions?

I observed it works sometime (in case of simple web pages) and does not work with Flex based web pages.

For example: Scenario I: In a web page called page1.htm, you call a script as follows:

<script type="text/javascript" src="js/somejsscript.js"></script>

or

<script type="text/javascript" src="http://localhost/js/somejsscript.js"></script>

and you access the page as http://localhost/page1.htm

Scenario II: You call the script as follows:

<script type="text/javascript" src="http://127.0.0.1/js/somejsscript.js"></script>

and you access the page as http://localhost/page1.htm

Answer 1

Origin is defined as a scheme/host/port (port is the default value for a scheme if it doesn't exist, e.g. port 80 for http, 443 for https). Same-origin is defined as a matching scheme/host/port. "localhost" and "127.0.0.1" are different hosts in this case. See http://en.wikipedia.org/wiki/Same_origin_policy#Origin_determination_rules

Answer 2

Yes, these are different origins for web security purposes; no browsers equate them. Technically "localhost" can point anywhere, and typically (on modern systems) it points to IPv6 rather than IPv4.