Apex Code Development You need to sign in to do that
Don't have an account?
devNut! Please explain cs2.salesforce.com vs c.cs2.salesforce.com
Why is it that when using a sandbox the main salesforce application is hosted on https://cs2.salesforce.com, but visualforce pages are hosted on https://c.cs2.salesforce.com?
When embedding a visualforce page on an objects's page layout the use of two different servers creates a cross-domain scripting issue.
Doesn't it make sense for all pages of a given salesforce org/instance to be served from ONE server?
I am equally upset by the cross-domain problems caused by this... the format seems to be:
thus... it is in the "force.com" domain... not "salesforce.com".
I'm willing to bet dollars to doughnuts that there was good reason for this change... but I just wish I knew what it was. Furthermore... I wish I had a way to embed VF pages in my page layouts and facilitate communication between them and the pages they are in without hitting cross-domain issues.
The move to separate domains has one very specific purpose: leverage the browser security model (same domain policy) to protect our customers and the salesforce.com service from cross site scripting and cross site request forgery attacks.
Moving to the serving pages from separate domains is a critical component of our ongoing commitment to insure the highest level of security and availability for everyone.
In the world where everything is served from the same domain any custom page that you visit had full access to any other page in your org and also any page served from salesforce.com itself. This included potentially malicious code that was installed as part of a force.com package.
We are looking at providing a packaged solution to the resizing of inlined pages limitation that does not violate the browser security model (HINT: leverages this secure approach that requires both sides of the equation agree to cooperate) for a future release.
I just encountered the same issue, but oddly it did not occur in my small sandbox. It only started happening when I deployed to my larger UAT test sandbox.
Is there a reason why I would not see this in one environment versus another?
Can this problem be resolved by adding the VisualForce server(s) to the Trusted Sites security settings of IE (my only target browser)?
David
I would guess that your smaller sandbox was refreshed (or created) BEFORE the change was made to host VF from a different domain, while the UAT environment was refreshed (or created) AFTER. The next time you refresh the smaller sandbox, it too will have seperate domains for VF pages.
To answer the second question... no... trusted domain lists have nothing to do with this issue... "cross-domain scripting" is something that simply cannot happen... which is why salesforce is using two domains. It is a sure-fire way to stop visualforce pages from 'running a muck' so to speak, on your salesforce server org/data.
Thanks for the response, you're right regarding the creation/refresh timing.
It's odd that I don't receive the warning message myself when I am in UAT viewing the same content. Any thoughts on that? I'm using IE7, though I believe those receiving the error may be using IE6. Perhaps IE7 is more permissive, or I've got a setting that's tweaked?
@Doug, do we have any updates about the packaged solution you mentioned.
Also resizing of frames is not the only task, hiding buttons or adding ajax bahviour is also required to be supported between force.com and salesforce.com pages.