I'm having difficulty reconciling some conflicting information from StackOverflow and other sources regarding the use of calls across sub-domains. Consider these two independent sites that share a common domain:
- site #1:
- site #2:
- Site #1 must be able to execute an AJAX call to site #2 by way of
- Site #1 and Site #2 must be able to read each other's cookies.
These requirements lead me to the following questions:
- Does the handler code located at sub.myDomain.com/handler.ashx need to alter its response headers to allow CORS? I know that I can write a call like this:
…but from what I read, this will expose the handler to all domains. I just want to limit the calls to those originating from
. What if I don't include the CORS header at all? What's the default behavior?
- Do Site #1 and/or Site #2 need to tweak the Domain property of HttpCookie in order for the two sites to read each other's cookies?
What if I don't touch the Domain properties at all? What's the default behavior? Some forum responses suggest that cookie scope will be limited to the subdomain, while others suggest the entire domain is in scope (which is what I want) in which case no action would be required on my part.