About me
I live in Lund and work, well, at probably the best company in the world
Tag Cloud
Active Directory
AD
ajax
Android
api
app
Apps
ASP.NET
azure
C#
CAML
Chuvash
Client Object Model
codeplex
console
csom
csr
css
css3
database
devtools
extension
git
github
google chrome
html
html5
javascript
jQuery
jQuery tmpl
js
jslink
jsom
json
keyboard
keyboard layout
LINQ
linux
localization
log
masterpage
ModalDialog
monitoring
office365
onet.xml
Performance
Powershel
PowerShell
raspberrypi
REST
rättigheter
script
Serverinstallation
Sharepoint
SharePoint 2010
sharepoint 2013
sharepoint2013
sharepoint apps
sharepoint online
SP.js
spapp
SPField
SPList
SPListItem
spo
SPWeb
subversion
tips
ubuntu
VHD
Visual Studio
webpart
webparts
windows
xml
Top posts
Certiffications


Blog Stats
- 601,819 hits
Recent Comments
Blogs I Follow
- Daniel Chronlund Cloud Tech Blog
- Вула Чăвашла
- Discovering SharePoint
- Bram de Jager - Architect, Speaker, Author
- SharePoint Dev Lab
- GUID(E) To SharePoint
- SharePoint Dragons
- Mai Omar Desouki
- Cameron Dwyer
- paul.tavares
- Share SharePoint Points !
- Simple Stuffs
- Jimmy Janlén "Den Scrummande Konsulten"
- Aryan Nava
- SPJoel
- SharePointRyan
- SharePoint 2020
- Aharoni in Unicode
- ... And All That JS
- blksthl
Thanks Anatoly, really interesting
Well the same-origin policy exists for a reason and I’m not sure why MS does it this way in O365. There is some more information and recommendation here: http://technet.microsoft.com/en-us/library/fp161237%28v=office.15%29.aspx – Take google as an example. Google uses google.com for trusted activities and *.googleusercontent.com for untrusted sites. Read about the cookie security here: http://security.stackexchange.com/questions/12412/what-cookie-attacks-are-possible-between-computers-in-related-dns-domains-exa
I really don’t like the custom domain for apps, but everything suggest we really should use it. Would be great if MS would shed some light on how they implemented it for O365.
Thank you for your comment. What I’ve been thinking about is also Yammer. Yammer uses the same domain (not even implementing subdomains) for all companies: yammer.com/companyA, yammer.com/companyB and so on. I am sure they have security tools in place to prevent unathorized access, but in my point of view, and I suppose in yours (google example) it is done in the wrong way in the foundation of the service.