Why
are Visualforce pages served from a different domain
If we see carefully, all our
Visualforce pages are served like “c.YOURSERVER.visual.force.com/apex/YOURPAGENAME”
,
And because of this most of
time we run into Same-Origin Policy error in Javascripyt if we try to access
parent page from Iframe. Following reason is explained by one of the evangelist
of Salesforce:
“The move to separate domains
has one very specific purpose: leverage the browser security model (same domain
policy) to protect our customers and the salesforce.com service from cross site
scripting and cross site request forgery attacks.
Moving to the serving pages
from separate domains is a critical component of our ongoing commitment to
insure the highest level of security and availability for everyone.
In the world where everything
is served from the same domain any custom page that you visit had full access
to any other page in your org and also any page served from salesforce.com
itself. This included potentially malicious code that was installed as part of
a force.com package.”
No comments:
Post a Comment