We have a managed package that works at every customer except one. At this customer we are realizing that the salesforce.com domain is used to server the visualforce page. In other orgs, we see that the visualforce pages are served from visual.force.com domain. We know that there is an internal setting that can disable serving VF pages from Salesforce.com domain. However, obviously we are puzzled on why this is enabled for this org vs the others and what the trigger is? 

When the pages are served from salesforce.com domain, we get errors such as:

... from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

Any insight will be appreciated so that when we suggest this solution to our customer, we can also be confident that there is no harm doing this.
 

We are using a third party company to scan our salesforce code for SOQL Injection and Vulnerability issues with open page redirects. The below code is flagged as a vulnerability.

public Pagereference customCancel() {
Pagereference objPageref = new Pagereference('/apex/FulcrumInlineEdit?id='+OptyId);
objPageref.setRedirect(true);
return objPageref;

The page is not using any URL hacking mechanisms like saveUrl, retUrl or cancelUrl. Based on the information given in the trailhead Prevent Open Redirects in your code (https://trailhead.salesforce.com/en/content/learn/modules/secdev_application_logic_vulnerabilities/secdev_app_logic_preventing_open_redirect), I am not sure how to modify the above code to make it secure. Can someone help?
 

I  have been trying to install a third party application which will allow us to integrate Salesforce to Dropbox. ( fileIT - Dropbox for Salesforce )

Some functionality is not working because the visualforce pages are coming from Salesforce.com & not Force.com. (See below for the full answer from the application provider)

Is it possible to turn off the permission which enables VF pages to be served from the http://salesforce.com domain. ??
regards


----------------------------------------------------------------

From the App Provider..
"---------- Forwarded message ----------
From: Beaufort 12 Support
Date: 22 April 2014 14:59
Subject: Re: Not Working for Custom Objects
To: shay.downey@selfhelpafrica.org


PLEASE TYPE YOUR REPLY ABOVE THIS LINE
-
Ross Layton
APR 22, 2014 | 02:59PM BST
Hi Shay,

I have just checked and I can see you are doing everything correctly.

The problem, and I have only seen it once before , is that the visualforce pages are coming from Salesforce.com not Force.com it is a known bug.

You’ll need to raise a case with Salesforce and ask them to turn this permission off – Enables VF pages to be served from the http://salesforce.com domain.

We are not sure why it is switched on and its worth checking it will not impact on anything else you have.

Really sorry its not better news but its out of our control.

Thanks

Ross"...