javascript - AJAX, Subdomains, and SSL

Question

I have a site, foo.com, that makes ajax requests to bar.foo.com. Will this work.

Also, if foo is a secure connection, https, does bar.foo.com need to be https too? Can these two sites use different certificates?

Answer 1

With plain-http AJAX: You are talking about doing cross-domain XMLHttpRequest, which is not permitted by browsers. There's a W3C proposal pending to implement this in a secure way in the future (partially implemented by IE8, IIRC), but it's definitely not possible at present.

There are, however, workarounds for doing it securely: Subspace (which uses iframes and document.domain), the fragment identifier technique (again, uses iframes) and window.name technique (again, iframes!).

As far as SSL goes, you can buy separate certificates for the domain and subdomain, or a single wildcard (*.foo.com) cert that covers them both (naturally, the wildcard cert will be more expensive).

If you have an HTTPS page that requests items from other domains, all will be well as long as everything is HTTPS. That means that if you use one of the iframe workarounds, you have to specify an https:// scheme URL in the src attribute of the iframe.

A final, less efficient, workaround is to have a script on https://foo.com that proxies requests to insecure http://bar.foo.com. (This also solves the XHR cross-domain problem, so you can ignore the other workarounds.) Of course, that means you're sending the XHR request to https://foo.com/someurl, it's then hitting http://bar.foo.com/someurl, receiving the response and sending it back to the browser, so performance-wise you're much better off just moving the server-side functionality of bar.foo.com onto foo.com, if you have that option. But if you can't move the server script, then proxying is the way to go.

EDIT: I changed the last 3 grafs after doing some extra testing and getting an iframe AJAX workaround (the #fragmentidentifier one) to work across different HTTPS domains. You can do SSL cross-domain AJAX using iframes as long as everything is https and the https scheme is used in the iframe src. Summarizing:

1. Short answer: no, true cross-domain XHR not allowed
2. Workaround with iframes: more efficient, need 2 SSL certs (or wildcard cert), somewhat complicated
3. Workaround with proxy: less efficient, can do with 1 or 2 SSL certs (1 with backend request to bar.foo.com via http), somewhat complicated