2

I have 2 sub domains (1 site we host one we don't) - they both have SSL certs.

  1. api.mydomain.co.uk (the domain we do host with a valid ssl cert)
  2. test.mydomain.co.uk (the domain we don't host with an invalid cert but the same domain)

I have an AJAX call from test.mydomain.co.uk to api.mydomain.co.uk. Now obviously I get a No 'Access-Control-Allow-Origin' header is present on the requested resource error which I would expect.

But then a put document.domain = "mydomain.co.uk" in the code on test.mydomain.co.uk.

I thought that would solve the issue (I've never done this before though) as it is a subdomain. So my question is - is the invalid SSL causing a problem, or do I need to do something more like CORS etc?

Petter Hesselberg
  • 5,062
  • 2
  • 24
  • 42
user1102550
  • 543
  • 1
  • 7
  • 24

1 Answers1

1

Yes, you need to config cors on your subdomain to make it behave like an api.

Let's say your page is requested from test.mydomain.co.uk, all ajax calls made to test.mydomain.co.uk are from the same origin, so no CORS config needed.

When you try to make calls to api.mydomain.co.uk, it will see it as another origin, even tough it's the same domain, so you gotta configure it to accept CORS requests. You do it on your NGINX, node, or whatever you're using as a webserver.

Here's how you'd do it on NGINX. http://enable-cors.org/server_nginx.html

Magus
  • 2,905
  • 28
  • 36
  • Hi I was under the impression that document domain would work on the same domain. Is that not the case. The reason I'm asking is we don't control the domain calling the api so I'm hoping for a solution that doesn't involve server side code, as I don't don't know how long that will take them! If CORS is the only and most importantly the most secure way that's fine though. – user1102550 Dec 19 '16 at 18:54
  • Hi just to add (to answer my own question a little more) - I did a little more research and it seems as indicated here that the javascript domain is more for client side sub domain interaction (e.g. Iframes) rather than calls to serverside resources via AJAX for which CORS is the preferred approach as pointed out by Magus. Here is a link https://stackoverflow.com/questions/15563611/why-doesnt-setting-document-domain-work-to-allow-ajax-requests-to-a-parent-doma – user1102550 Dec 20 '16 at 12:41
  • Nope, that article you pointed refers to adding access control headers on the PHP code to make CORS. CORS is a bitch and it's necessary because of browsers protection, chrome blocks all request that do not follow these standards. For development tough, you could use this extension: https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi – Magus Dec 20 '16 at 12:47
  • Hi I ended up using JSONP. Just to point out, I linked to article as it covered using document domain in Javascript which I mistakenly believed would allow cross domain AJAX calls. I didn't really make that clear. Now my understanding is that CORS is the generally recommended way of doing things. When you say it is a "bitch" :) could you elaborate, Basically setting it up will involve talking to the third party who host the other site and it can be "challenging", I am from a Microsoft background and they aren't. I'm happy to use JSONP in this case, however, assuming I can ensure it's secure. – user1102550 Dec 23 '16 at 09:03
  • CORS is intentionally a bitch, it's a client side protection to avoid thirdparty scripts to run on your page without your permission. And just like most protection systems it gets misused and override. To describe the whole process I'd need a full page, but to shorten things up, let's say a malicious script is injected on your page (a humble wordpress). CORS would prevent this script to be ran on your page, since it's downloaded or sends data to a url that is not listed on your Cross Origin Resource Sharing headers, therefore blocking the attack. People lose this when CORS is set to allow * – Magus Dec 28 '16 at 09:30