I have two subdomains www.example.com and api.example.com. On a page from first domain I open popup window with url api.example.com/some/url and want to use window.opener object to pass data to parent page. But I get error:

Unsafe JavaScript attempt to access frame with URL http://www.example.com/some/page from frame with URL http://api.example.com/some/url. Domains, protocols and ports must match.

Is it possible to fix the issue?

It is possible to pass data between www.example.com and api.example.com but not with window.opener. You can set a value in a cookie with Javascript (document.cookie) on the .example.com domain (not www.example.com) and it will be readable on www.example.com and api.example.com.

On a page from www.example.com, if you execute this Javascript: (source: http://techpatterns.com/downloads/javascript_cookies.php) then the "somename" cookie will be readable from api.example.com

function Set_Cookie( name, value, expires, path, domain, secure )
{
// set time, it's in milliseconds
var today = new Date();
today.setTime( today.getTime() );

/*
if the expires variable is set, make the correct
expires time, the current script below will set
it for x number of days, to make it for hours,
delete * 24, for minutes, delete * 60 * 24
*/
if ( expires )
{
expires = expires * 1000 * 60 * 60 * 24;
}
var expires_date = new Date( today.getTime() + (expires) );

document.cookie = name + "=" +escape( value ) +
( ( expires ) ? ";expires=" + expires_date.toGMTString() : "" ) +
( ( path ) ? ";path=" + path : "" ) +
( ( domain ) ? ";domain=" + domain : "" ) +
( ( secure ) ? ";secure" : "" );
} 


Set_Cookie("somename", "somevalue", 0, "/", ".example.com");

It's not a bug, it's a security feature. Otherwise, someone else can have your site open up from theirs and inject data into your page without your users knowing.

Read: http://en.wikipedia.org/wiki/Same_origin_policy

Certainly, having the same SLD could indicate that they are from the same origin, but that isn't guaranteed to be the case, for example, hosting sites that allow free subdomains would be vulnerable.

<script>
document.domain = 'facebook.com';
try {
    try{
        if (window.opener && window.opener.graphexplorer) {
            window.opener.graphexplorer.authCallback(window.location.hash);
        }
    }catch(e){}
}
catch (e) {}

window.location.hash = '';
window.close();
</script>

<script> document.domain = 'facebook.com'; try { try{if (window.opener && <script> document.domain = 'facebook.com'; try { try{if (window.opener && window.opener.graphexplorer) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>

<script> document.domain = 'facebook.com'; try { try{if (window.opener && window.opener.graphexplorer) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>