Find your content:

Search form

You are here

Why are visualforce pages served from a different domain?


There are a number of reasons why this is frustrating. The biggest for me is that embedded visualforce pages can't use JavaScript to access the parent frame. There doesn't seem to be any benefit serving visualforce from a separate domain, is it a security decision? I am sure there are still plenty of ways to use the platform for something evil. I am not looking for a solution to a specific problem just a better understanding of why visualforce was implemented in this way.

Attribution to: Daniel Blackhall

Possible Suggestion/Solution #1

While I've never seen this information in an official Salesforce document, Doug Chasman answered this on the developerforce boards back in 2009:

The move to separate domains has one very specific purpose: leverage the browser security model (same domain policy) to protect our customers and the service from cross site scripting and cross site request forgery attacks.

Moving to the serving pages from separate domains is a critical component of our ongoing commitment to insure the highest level of security and availability for everyone.

In the world where everything is served from the same domain any custom page that you visit had full access to any other page in your org and also any page served from itself. This included potentially malicious code that was installed as part of a package.

The original thread can be found at:

Attribution to: Bob Buzzard
This content is remixed from stackoverflow or stackexchange. Please visit

My Block Status

My Block Content