1

I have the main website hosted by a reliable static web hosting service. Which only allow me to host static files like html, css, js etc. Now I have few requirements which would need user Login and data storage. I think I can handle this using App Engine Python.

My app is similar to a Voting module, So i will explain it using its example. My plan is to configure things something like this:

main website: www.example.com
appengine:    gae.example.com

On the main website an anonymous user visits: http://www.example.com/vote.html, he should see current voting status (which has been retrieved from app engine). and a login button (from twitter/facebook). when he logins, he should be able to cast his vote and the vote be saved back to the appengine server.

I can handle most of the things but two. (taking same origin policy into account.)

  • How do I maintain authentication between two domain names. i.e. www.example.com and gae.example.com.

  • How do I make HTTP POST request to the gae.example.com from www.example.com and use the returned json data.

Note: I want to avoid iframes as much as possible.

Shiv Deepak
  • 3,122
  • 5
  • 34
  • 49
  • 1
    Is there a good reason not to just serve the static content from App Engine as well, and not need a separate subdomain? – Wooble Aug 24 '11 at 18:46
  • @Wooble: The website is vast, it is not maintained by me and the static hosting service provide excellent tools for Design/maintenance/updation and uptime is really close to 100%. :-) Moving server as of now will not have positive effect. – Shiv Deepak Aug 24 '11 at 18:54
  • You really are making things more complicated for yourself by separating it out like this. – Nick Johnson Aug 25 '11 at 23:52

2 Answers2

3

You need to use JSONP.

Subdomains actually violate the same origin policy. This is because some hosted solutions provide subdomains for different users. This would allow users to attack each other's sites.

See: Same Origin Policy - AJAX & using Public APIs

Community
  • 1
  • 1
Diodeus - James MacFarlane
  • 112,730
  • 33
  • 157
  • 176
0

You can maintain login between the two sub-domains by making sure that the login cookie is set on the root domain with subdomain access allowed. The sub-domains will be able to access the cookies of the root domain. See https://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com for some examples.

I don't believe you can make ajax calls directly to another sub-domain. If the target sub-domain is cooperating and supports JSONP, you can do it that way (you end up inserting a script tag with a call to a script and that script calls you back with the data). Because the loading of scripts isn't subject to the same origin policy, you can work around it, but the target sub-domain has to be configured to allow and support JSONP.

Community
  • 1
  • 1
jfriend00
  • 683,504
  • 96
  • 985
  • 979