0

I have a site where I'm developing my REST endpoints on:

https://prefixone.somesite.com

And I have another site where I'm developing my UI Framework:

https://prefixtwo.somesite.com

I can successfully login and get a 200 response in IE. In FF and Chrome, I get a "405 METHOD NOT ALLOWED". Chrome sheds more light on the situation by saying "XMLHTTPRequest cannot load XXXXXXXXXXX. Origin xxxxxxxxxxx is not allowed by Access-Control-Allow-Origin.

Both of the sites are on somesite.com

Does this situation still qualify as XSS?

Lee Taylor
  • 7,761
  • 16
  • 33
  • 49
jake
  • 317
  • 5
  • 18
  • Pretty sure I've seen an workaround for this on MDN. – Fabrício Matté Aug 11 '12 at 22:15
  • 1
    This isn't XSS. This would be the [same origin policy](https://en.wikipedia.org/wiki/Same_origin_policy). – icktoofay Aug 11 '12 at 22:18
  • Thanks for the robust answer Fabricio. Ok - but what do you call this? XSS from same domain? I've googled my ass off trying to fix this. My code works fine in IE - but FF and Chrome (needed for web dev tools) are cussing at me when I attempt to go from one prefix to another prefix on the same root url. – jake Aug 11 '12 at 22:18
  • @jake: Have you tried searching for `Access-Control-Allow-Origin`? I just did and found [this document](http://www.w3.org/TR/access-control/), which looks like it should help you. – icktoofay Aug 11 '12 at 22:22
  • I'm looking for it as well but it's not easy to find. Read the notes section [here](https://developer.mozilla.org/en-US/docs/DOM/document.domain), FF allows you to communicate to `https://prefixone.somesite.com` if you set the `document.domain` in `https://prefixtwo.somesite.com` to the same as `prefixone.somesite.com`, and there was a page on MDN showing examples that supposedly works in FF and Chrome, but I'm not sure if that's very reliable. – Fabrício Matté Aug 11 '12 at 22:22
  • I've found related questions [here](http://stackoverflow.com/q/2404947/1331430) and [here](http://stackoverflow.com/q/926137/1331430), the questions seem more useful than the answers though. – Fabrício Matté Aug 11 '12 at 22:26
  • 1
    Here's a summed up version of how that workaround works: [MDN link](https://developer.mozilla.org/en-US/docs/Same_origin_policy_for_JavaScript) (right below the table), but if you have control of both domains you're probably better off setting up [CORS](https://developer.mozilla.org/en-US/docs/HTTP_access_control) to let your other subdomain have access to your REST subdomain. – Fabrício Matté Aug 11 '12 at 22:33

3 Answers3

2

Your question is "why would I still receive a 405 even though both url's are form XXXX.com?", but in fact, your URLs are NOT from the same domain.

xxx.yyyy.com and zzz.yyyy.com are not the same domain. They may share a significant part of their names, but they are not the same.

This is because it is perfectly possible for the owner of subdomains within a domain to be operated by entirely independent people. Consider uk.com. The owner of this domain sells the third-level domains within it as a competitor to the standard British country-level domain co.uk.

The sites at xxx.uk.com and zzz.uk.com are completely different sites, and you would not expect the former to be able to load content from the latter without violating the same origin policy rules.

The browser has no knowledge of which domains would do this and which wouldn't, so it plays it safe and assumes that any two subdomains could be operated by different people.

Even yyyy.com and www.yyyy.com are not considered the same thing.

I hope that answers your question.

As for what to do about it....

1) Put everything on the same subdomain. The most common reason for splitting a site across multiple subdomains is for performance, but unless you're operating Google or Facebook, it's unlikely to be critical to your performance, and there a probably other things you could do first that would be more helpful. Also, the new SPDY protocol (soon to evolve into HTTP v2) will render the technique obsolete.

2) If you must split it across multiple subdomains, you might want to look into using a crossdomain.xml file, which you can place on each server, to give them explicit permissions to access each other's content.

Spudley
  • 166,037
  • 39
  • 233
  • 307
0

Basically in your code you need to run the following in JavaScript:

document.domain = "somesite.com";

This will tell the browser that the part that should matter, for the purposes of the Same Origin Policy, is somesite.com not the prefixed part.

Look up "document domain" on Google for more.

Anthony Mills
  • 8,676
  • 4
  • 32
  • 51
0

the same origin policy restricts this. And as the name implies it works with origins, not domains. An origin is a full domain name + protocol + port number. So even two pages running on the same host cannot communicate if they are on different ports or protocols.

If you plan to support only newer browsers look at adding x-access-control headers. If you need to support older browsers look at something like easyXDM.

Erlend
  • 4,336
  • 22
  • 25