AJAX, Subdomains, and SSL

javascript ajax ssl subdomain
David Fritzman picture David Fritzman · Oct 23, 2008 · Viewed 23.7k times · Source

I have a site, foo.com, that makes ajax requests to bar.foo.com. Will this work.

Also, if foo is a secure connection, https, does bar.foo.com need to be https too? Can these two sites use different certificates?

Answer

joelhardi picture joelhardi · Oct 23, 2008

With plain-http AJAX: You are talking about doing cross-domain XMLHttpRequest, which is not permitted by browsers. There's a W3C proposal pending to implement this in a secure way in the future (partially implemented by IE8, IIRC), but it's definitely not possible at present.

There are, however, workarounds for doing it securely: Subspace (which uses iframes and document.domain), the fragment identifier technique (again, uses iframes) and window.name technique (again, iframes!).

As far as SSL goes, you can buy separate certificates for the domain and subdomain, or a single wildcard (*.foo.com) cert that covers them both (naturally, the wildcard cert will be more expensive).

If you have an HTTPS page that requests items from other domains, all will be well as long as everything is HTTPS. That means that if you use one of the iframe workarounds, you have to specify an https:// scheme URL in the src attribute of the iframe.

A final, less efficient, workaround is to have a script on https://foo.com that proxies requests to insecure http://bar.foo.com. (This also solves the XHR cross-domain problem, so you can ignore the other workarounds.) Of course, that means you're sending the XHR request to https://foo.com/someurl, it's then hitting http://bar.foo.com/someurl, receiving the response and sending it back to the browser, so performance-wise you're much better off just moving the server-side functionality of bar.foo.com onto foo.com, if you have that option. But if you can't move the server script, then proxying is the way to go.

EDIT: I changed the last 3 grafs after doing some extra testing and getting an iframe AJAX workaround (the #fragmentidentifier one) to work across different HTTPS domains. You can do SSL cross-domain AJAX using iframes as long as everything is https and the https scheme is used in the iframe src. Summarizing:

  1. Short answer: no, true cross-domain XHR not allowed
  2. Workaround with iframes: more efficient, need 2 SSL certs (or wildcard cert), somewhat complicated
  3. Workaround with proxy: less efficient, can do with 1 or 2 SSL certs (1 with backend request to bar.foo.com via http), somewhat complicated

Related questions

Disable same origin policy in Chrome

Is there any way to disable the Same-origin policy on Google's Chrome browser?

Read More
jQuery AJAX submit form

I have a form with name orderproductForm and an undefined number of inputs. I want to do some kind of jQuery.get or ajax or anything like that that would call a page through Ajax, and send along all the …

Read More
How do I return the response from an asynchronous call?

I have a function foo which makes an asynchronous request. How can I return the response/result from foo? I tried returning the value from the callback, as well as assigning the result to a local variable inside the function …

Read More