Why do I still receive 405 errors even though both URLs are from XXXX.com?
Question
I have a site where I'm developing my REST endpoints on:
https://prefixone.somesite.com
And I have another site where I'm developing my UI Framework:
https://prefixtwo.somesite.com
I can successfully login and get a 200 response in IE. In FF and Chrome, I get a "405 METHOD NOT ALLOWED". Chrome sheds more light on the situation by saying "XMLHTTPRequest cannot load XXXXXXXXXXX. Origin xxxxxxxxxxx is not allowed by Access-Control-Allow-Origin.
Both of the sites are on somesite.com
Does this situation still qualify as XSS?
3 answers
solution1
2 ACCPTED 2012-08-12 22:10:14
Your question is "why would I still receive a 405 even though both url's are form XXXX.com?", but in fact, your URLs are NOT from the same domain.
xxx.yyyy.com and zzz.yyyy.com are not the same domain. They may share a significant part of their names, but they are not the same.
This is because it is perfectly possible for the owner of subdomains within a domain to be operated by entirely independent people. Consider uk.com . The owner of this domain sells the third-level domains within it as a competitor to the standard British country-level domain co.uk .
The sites at xxx.uk.com and zzz.uk.com are completely different sites, and you would not expect the former to be able to load content from the latter without violating the same origin policy rules.
The browser has no knowledge of which domains would do this and which wouldn't, so it plays it safe and assumes that any two subdomains could be operated by different people.
Even yyyy.com and www.yyyy.com are not considered the same thing.
I hope that answers your question.
As for what to do about it....
1) Put everything on the same subdomain. The most common reason for splitting a site across multiple subdomains is for performance, but unless you're operating Google or Facebook, it's unlikely to be critical to your performance, and there a probably other things you could do first that would be more helpful. Also, the new SPDY protocol (soon to evolve into HTTP v2) will render the technique obsolete.
2) If you must split it across multiple subdomains, you might want to look into using a crossdomain.xml file , which you can place on each server, to give them explicit permissions to access each other's content.
solution2
0 2012-08-11 23:44:43
Basically in your code you need to run the following in JavaScript:
document.domain = "somesite.com";
This will tell the browser that the part that should matter, for the purposes of the Same Origin Policy, is somesite.com not the prefixed part.
Look up "document domain" on Google for more.
solution3
0 2012-08-12 21:36:50
the same origin policy restricts this. And as the name implies it works with origins, not domains. An origin is a full domain name + protocol + port number. So even two pages running on the same host cannot communicate if they are on different ports or protocols.
If you plan to support only newer browsers look at adding x-access-control headers. If you need to support older browsers look at something like easyXDM.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.