Are AJAX calls to a sub-domain considered Cross Site Scripting?

Question

I have Server A (www.example.com) sending information to Server B. I can only have HTML / JS on Server A (and have to do the "crunching" on Server B) so I'm trying to send form data via AJAX (trying to avoid a form post to Server B - don't ask).

Obviously doing an AJAX call cross-domain is considered XSS and a big no-no, but if I were to put Server B in a subdomain (sub.example.com), would that be considered okay? How are cross-domain errors detected? Does the browser look up DNS records? IP address?

Thanks in advance for you help.

Answer 1

Sub-domains are considered different and will fail the Same Origin Policy unless both sub-domains declare the same document.domain DOM property (and even then, different browsers behave differently).

Answer 2

Short answer: No. See the Same Origin Policy

You can only make an XHR request to the same host, port, and protocol.

If you want to do Ajax without sticking to that, you can look at JSON-P.

(XSS is a completely different kettle of fish, in which a site allows data to be injected into it (e.g. via a URI) that gets treated as JS allowing third parties to direct people to your site, while they are logged into it, and steal or edit data.)