Menu
How does the Same Origin Policy apply to the following two domains?
http://server1.MyDomain.com
http://server2.MyDomain.com
Can I run JS on a page hosted on server1, if the content is retreived from server2?
edit according to Daniel's answer below, I can include scripts between different subdomains using the <script> tag, but what about asynchronous requests? What if I download a script from server2 onto the page hosted on server1. Can I use the script to communicate asynchronously with a service on server2?
553
The Basics of the Same-Origin Policy One such restriction is that scrips executing on http://example.com are not allowed to access resources on http://subdomain.example.com . Restrictions are applied based on the document's origin where an origin is defined in RFC 6454 Section 4.
Sub-domains are considered different and will fail the Same Origin Policy unless both sub-domains declare the same document.
The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.
domain is dangerous. It opens up full access to a page's DOM from all subdomains, which is likely not what is intended. It also removes the port component from the origin, so now your page can be accessed by other pages with the same IP address or same host component, even on a different port.
You can only include scripts between different subdomains using the <script> tag, as it is exempt from the policy.
Using http://www.example.com/dir/page.html as source (from Wikipedia):
Compared URL Outcome Reason
---------------------------------------------------------------------------------------------
http://www.example.com/dir/page.html Success Same protocol and host
http://www.example.com/dir2/other.html Success Same protocol and host
http://www.example.com:81/dir2/other.html Failure Same protocol and host but different port
https://www.example.com/dir2/other.html Failure Different protocol
http://en.example.com/dir2/other.html Failure Different host
http://example.com/dir2/other.html Failure Different host (exact match required)
http://v2.www.example.com/dir2/other.html Failure Different host (exact match required)
UPDATE:
Can I use the script to communicate asynchronously with a service on server2?
Yes, you can with JSONP, which takes advantage of the open policy for <script> tags to retrieve JSON from other origins.
You may also want to consider using a reverse proxy, as desribed in the following Stack Overflow post:
186
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
