Cross Origin Resource Sharing (CORS) across Subdomains

9
votes

Suppose I have an app at www.example.com (a)

If my resource is at www.someotherdomain.com (b) and I make an AJAX call from (a) to (b) then CORS rules would apply.

However if my resource is located at api.example.com (c) then one would expect to avoid CORS when making an AJAX request from (a) to (c) - however, I have found this not to be the case.

CORS rules still apply when making requests across subdomains - is this true?

Is there away around this rule (without using JSONP)?

I cant imagine that all requests made between www.amazon.com and resource.amazon.com, for instance, are always CORS requests. Managing the headers and preflight request/response seems tedious & costly at scale.

Anything Im missing here?

2
ajaxhttpxmlhttprequestcorsmxhr
sub domain is a different origin. CORS is actually relatively easy to deal with, unless you wanted to get super specific with it and only allow it on particular endpoints for particular origins, but even that isn't all that difficult.Kevin B
Thank you. I agree that it isnt too difficult but it seems like the preflight requests can degrade performance at scale (suppose my app makes 1000 requests, ignoring performance improvements due by changing request architecture). is this not a significant issue?yevg
I don't think the preflight gets sent with every request. If you for example sent a dozen in a row there would only be oneKevin B

2 Answers

5
votes

CORS is for a single set of protocol:domain:port, or null, or *. See https://www.w3.org/TR/cors/#access-control-allow-origin-response-header.

So the answer to your question is, Yes, CORS rules will still apply to your subdomains.

3
votes

One note - you can make a call from (c) to (a) using the document.domain method outlined in the top answer here

Ways to circumvent the same-origin policy